Cisco 350-701 Implementing and Operating Cisco Security Core Technologies (SCOR 350-701) Exam Practice Test

 Multi-factor authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN. MFA is a core component of a strong identity and access management (IAM) policy1. MFA is important to implement inside of an organization because it can prevent brute force attacks from being successful. A brute force attack is a type of cyberattack that tries to guess the user’s password or PIN by trying different combinations until it finds the correct one. This can be done manually or with automated tools. MFA can stop brute force attacks by requiring an additional factor of authentication that the attacker does not have, such as a phone, a token, a biometric, or a location. MFA can also reduce the risk of other types of attacks that rely on stealing or compromising the user’s credentials, such as phishing, keylogging, or credential stuffing. References := 1: What is Multi-Factor Authentication (MFA)? | OneLogin

Explanation

Unlike the traditional software life cycle, the CI/CD implementation process gives a weekly or daily update

instead of monthly or quarterly. The fun part is customers won’t even realize the update is in their applications,

as they happen on the fly.

 The monitoring agent uses the RTP (Real-time Transport Protocol) performance metric to collect and output packet loss and jitter information. RTP is a network protocol used for delivering audio and video over IP networks. It provides mechanisms for timestamping, sequence numbering, and delivery monitoring, which allow for the measurement of packet loss and jitter. RTP is specifically designed for real-time multimedia streaming applications, which are more sensitive to changes in the transmission characteristics of data networks than other applications. Therefore, RTP performance is a suitable metric for monitoring and collecting packet loss and jitter information.

The other options are not directly related to measuring packet loss and jitter. TCP (Transmission Control Protocol) is a transport protocol that ensures reliable and ordered delivery of data, but it is not typically used for real-time multimedia applications. WSAv (Web Security Virtual Appliance) is a Cisco solution for web security, but it does not measure packet loss and jitter. AVC (Application Visibility and Control) is a technology that monitors and controls network applications, but it does not focus on packet loss and jitter. References :=

Measuring Delay, Jitter, and Packet Loss with Cisco IOS SAA and RTTMON1

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.02

Cisco 350-701: Which metric used by monitoring agent to collect and output packet loss and jitter information?

Explanation

Explanation

Southbound APIs enable SDN controllers to dynamically make changes based on real-time demands and

scalability needs.

Cisco Umbrella allows you to create custom destination lists that contain specific domains or IP addresses that you want to allow or block. You can then apply these destination lists to your policies to override the default behavior of Umbrella. For example, if you want to block specific addresses using Cisco Umbrella, you can create a destination list with those addresses and set the action to block. Then, you can assign this destination list to the policy that you want to modify. This way, any request to those addresses will be blocked by Umbrella, regardless of the content category or application settings12 References := 1: Manage Policies - Umbrella User Guide 2: Understanding Destination lists supported entries and error messages - Cisco Umbrella

The intelligent proxy is a feature of Cisco Umbrella that allows it to selectively inspect and proxy web requests for domains that are classified as risky or potentially malicious. These domains may contain both safe and harmful content, and the intelligent proxy can filter out the malicious files or URLs while allowing the benign ones to pass through. The intelligent proxy can also apply SSL decryption to inspect encrypted traffic and enforce policies based on the content or destination of the web requests. To enable the intelligent proxy, an engineer needs to configure it within the Cisco Umbrella dashboard and select the categories of domains that should be proxied. The categories are based on the domain reputation and security risk, and range from High Risk to Low Risk. The engineer can also customize the list of domains to include or exclude from the intelligent proxy. By configuring the intelligent proxy, the engineer can achieve the objectives of identifying and proxying traffic that is categorized as risky domains and may contain safe and malicious content. References :=

Some possible references are:

Enable the Intelligent Proxy - Umbrella User Guide, Cisco

Manage the Intelligent Proxy - Umbrella User Guide, Cisco

Intelligent Proxy in Cisco Umbrella how it works, Cisco Learning Network

What is the Intelligent Proxy? - MSP User Guide, Cisco

Cisco Umbrella Intelligent Proxy and SSL Decryption implementation, Cisco Community

The Cisco Stealthwatch system collects and analyzes network telemetry such as flow (NetFlow, sFlow, JFlow, IPFIX, etc.) from routers, switches, and firewalls to monitor network and user behavior. The system conducts sophisticated, proprietary analytics on network data to automatically detect abnormal behaviors that may signify an attack1. NetFlow is a protocol that provides information about network traffic flows, such as source and destination IP addresses, ports, protocols, bytes, packets, and timestamps. NetFlow data can be used to identify network anomalies, bandwidth usage, application performance, and security incidents2. References :=

Some possible references are:

1: Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics, Zones, 3 2: What is NetFlow? Definition and Benefits, Cisco, 7

Explanation

Explanation

There are three basic categories of attack:

+ volume-based attacks, which use high traffic to inundate the network bandwidth

+ protocol attacks, which focus on exploiting server resources

+ application attacks, which focus on web applications and are considered the most sophisticated and serious type of attacks Reference: https://www.esecurityplanet.com/networks/types-of-ddos-attacks/

single methods of authentication can be compromised more easily than MFA. MFA, or multi-factor authentication, is a security process that requires users to provide two or more factors to verify their identity and access resources. MFA reduces the risk of unauthorized access by making it harder for attackers to compromise all the factors needed, especially if they are different in nature, such as something you know (password), something you have (token), and something you are (biometric).

To understand the concept of MFA and why it is important for authentication security, you can refer to the following sections of the source book:

Section 1.1.1: Describe the concepts of identity and access management

Section 1.1.1.1: Describe the concepts of identity principles

Section 1.1.1.2: Describe the concepts of authentication

Section 1.1.1.3: Describe the concepts of authorization

Section 1.1.1.4: Describe the concepts of accounting

Section 1.1.1.5: Describe the concepts of identity stores

Section 1.1.1.6: Describe the concepts of MFA

The Cisco DNA Center RESTful PNP API allows external applications to interact with the Plug and Play (PNP) service of Cisco DNA Center, which automates the onboarding and provisioning of network devices. The PNP API has several endpoints for different operations, such as importing, claiming, updating, and deleting devices. The endpoint that adds and claims a device into a workflow is api/v1/onboarding/pnp-device/import, which takes a JSON payload with the device information and the workflow ID. This endpoint creates a new device entry in the PNP database and associates it with the specified workflow. The workflow defines the configuration template, image, and license to be applied to the device during the provisioning process12. References:

1: See How to Use the Plug and Play API in DNA Center – Part 2

2: Cisco DNA Center Platform User Guide, Release 2.2.3

In order to send web traffic transparently to the Web Security Appliance (WSA), the system administrator can use one of these two methods:

Policy-based routing (PBR) on the network infrastructure: This method allows the administrator to define routing policies based on the source or destination IP address, port number, protocol, or other criteria of the web traffic. The administrator can then apply these policies to the network interfaces or subinterfaces and redirect the matching traffic to the WSA. This method does not require any configuration on the client side and can be applied to any type of web traffic, including HTTPS and FTP. However, this method may require additional network resources and maintenance, as well as coordination with other network administrators.

Web Cache Communication Protocol (WCCP) on the WSA and the network device: This method allows the administrator to configure the WSA and the network device (such as a router, switch, or firewall) to communicate with each other using WCCP, a Cisco proprietary protocol. The network device acts as a WCCP router and redirects the web traffic to the WSA, which acts as a WCCP client. The WSA then processes the traffic and returns it to the network device, which forwards it to the original destination. This method does not require any configuration on the client side and can be applied to HTTP, HTTPS, and native FTP traffic. However, this method requires that the network device supports WCCP and that the WSA and the network device are in the same Layer 2 domain.

SQL injection attacks are a type of code injection technique that exploit the use of dynamic SQL queries in web applications. Attackers can inject malicious SQL statements into user input fields, such as login forms, search boxes, or URLs, and execute them on the underlying database. This can result in unauthorized access, data theft, data corruption, or denial of service.

To prevent SQL injection attacks, web developers should use the following techniques:

Use prepared statements and parameterized queries: Prepared statements are SQL queries that are precompiled and executed with user-supplied parameters. Parameterized queries are SQL queries that use placeholders for user input and bind them to actual values at runtime. Both techniques separate the SQL code from the user input, making it impossible for attackers to inject SQL commands into the query. For example, in Java, PreparedStatement is a class that implements parameterized queries. In PHP, PDO and mysqli are extensions that support prepared statements.

Block SQL code execution in the web application database login: Web applications should use a dedicated database user account with limited privileges to connect to the database. This account should only have the permissions necessary to perform the required operations, such as select, insert, update, or delete. It should not have the permissions to execute arbitrary SQL commands, such as create, drop, alter, grant, or revoke. This way, even if an attacker manages to inject SQL code into the query, the database will reject it due to insufficient privileges.

The WSA uses a root certificate and a private key to decrypt HTTPS traffic. The root certificate must reside in the trusted store of the WSA, and it must be able to sign server certificates on the fly. The server certificates that the WSA generates must contain a SAN (Subject Alternative Name) field, which specifies the hostnames or IP addresses that the certificate is valid for. The SAN field is required by modern browsers and applications to verify the identity of the server. If the WSA does not include a SAN field in the server certificate, the browser or application may reject the connection or display a warning message.

The other options are not correct because:

A. The current date is not a criterion for the WSA to use a certificate to decrypt application traffic. The WSA checks the validity period of the certificate, which includes the start date and the end date. The current date must be within the validity period, but it does not have to be the same as the start date or the end date.

C. The root certificate that the WSA uses to decrypt HTTPS traffic does not have to reside in the trusted store of the endpoint. However, the endpoint must trust the root certificate in order to accept the server certificate that the WSA generates. This can be achieved by manually installing the root certificate on the endpoint, or by using a group policy or a certificate management system to distribute the root certificate to the endpoints.

D. The root certificate that the WSA uses to decrypt HTTPS traffic does not have to be signed by an internal CA. The WSA can generate its own self-signed root certificate, or it can use a root certificate that is signed by an external CA. However, the root certificate must be trusted by the endpoints, as explained in option C.

References := : WSA Certificate Usage for HTTPS Decryption : [User Guide for AsyncOS 12.0 for Cisco Web Security Appliances - GD (General Deployment) - Create Decryption Policies to Control HTTPS Traffic]

EDR stands for endpoint detection and response, while EPP stands for endpoint protection platform. EDR and EPP are two types of endpoint security solutions that have different capabilities and objectives. EDR provides real-time visibility into endpoint activities, detects malicious behavior and anomalies, and enables security teams to investigate and respond to threats. EPP prevents, detects, and remediates security threats on endpoints, such as known and unknown malware, ransomware, and zero-day vulnerabilities. EPP solutions may also include EDR capabilities, but not all EDR solutions include EPP capabilities.

One of the key features of EDR is retrospective analysis, which means the ability to look back at historical endpoint data and identify the root cause, scope, and impact of a security incident. Retrospective analysis helps security teams understand how the threat entered the network, what actions it performed, and how to prevent it from happening again. EPP solutions, on the other hand, do not provide retrospective analysis, as they are mainly focused on preventing and remediating threats, rather than investigating and responding to them.

Therefore, the correct answer is B. Retrospective analysis is a characteristic of an EDR solution and not of an EPP solution.

MDM stands for Mobile Device Management, which is a system that performs compliance checks and remote wiping on mobile devices. MDM allows administrators to enforce security policies, monitor device status, and remotely manage devices in case of loss, theft, or compromise. MDM can also integrate with other Cisco security solutions, such as ISE, AMP, and Umbrella, to provide enhanced protection and visibility for mobile devices. References:

Mobile Device Management (MDM) - Cisco

Implementing and Operating Cisco Security Core Technologies (SCOR) - Module 5: Secure Network Access

Explanation

Dynamic ARP inspection (DAI) is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from certain man-in-the-middle attacks. After enabling DAI, all ports become untrusted ports.

Cross-site scripting (XSS) is a web security vulnerability that allows an attacker to inject malicious code into a web page that is viewed by other users. XSS can compromise the user’s interaction with the web application, steal sensitive data, perform unauthorized actions, and more. To prevent XSS, web developers need to apply various defensive techniques to ensure that user-supplied data is not interpreted as code by the browser. Two of these techniques are:

Incorporate contextual output encoding/escaping: This means that any user-supplied data that is displayed on the web page should be properly encoded or escaped according to the context where it appears. For example, if the data is inserted into an HTML attribute, it should be HTML attribute encoded; if the data is inserted into a JavaScript string, it should be JavaScript string encoded; and so on. This prevents the data from breaking out of its intended context and being executed as code by the browser. Output encoding should be done by using a reliable library or framework that supports different contexts and encodings.

Run untrusted HTML input through an HTML sanitization engine: This means that any user-supplied data that is intended to contain HTML markup should be filtered and validated by a sanitization engine that removes or escapes any potentially dangerous elements, attributes, or scripts. This prevents the attacker from injecting malicious HTML code that can execute scripts, load external resources, redirect the user, or perform other malicious actions. HTML sanitization should be done by using a well-tested and maintained library or framework that follows the best practices and standards for HTML filtering.

References :=

[Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0], Module 5: Securing the Cloud, Lesson 5.2: Web Application Security, Topic 5.2.2: Cross-Site Scripting (XSS)

Cross Site Scripting Prevention Cheat Sheet - OWASP

What is cross-site scripting (XSS) and how to prevent it? - Web Security Academy

 Cisco Container Platform (CCP) is a solution that simplifies the deployment and management of containerized applications across multiple clouds. It provides the following benefits to customers who utilize cloud service providers12:

Allows developers to create code once and deploy to multiple clouds. CCP is based on open source components, such as Kubernetes and Docker, that are compatible with various cloud platforms. This enables developers to write code once and run it anywhere, without worrying about the underlying infrastructure or vendor lock-in. CCP also supports hybrid and multicloud scenarios, allowing customers to leverage the best features of different cloud providers and optimize their costs and performance.

Manages Kubernetes clusters. CCP automates the installation, configuration, and maintenance of Kubernetes clusters, which are groups of nodes that run containerized applications. CCP provides a simple GUI-driven menu system to deploy clusters, as well as automated monthly updates for bug fixes, feature enhancements, and security patches. CCP also offers a choice of networking solutions, such as Cisco ACI, Calico, or Contiv, to connect and secure the clusters. CCP also integrates with Cisco AppDynamics and Prometheus for visibility and monitoring of the clusters and applications. References:

Cisco Container Platform - Cisco

Cisco Container Platform - At-a-Glance - Cisco

Explanation

The call to API of “https://api.amp.cisco.com/v1/computers” allows us to fetch list of computers across your

organization that Advanced Malware Protection (AMP) sees

A serverless application is one that does not require the developer to manage the underlying infrastructure or servers. Instead, the application code is executed by a cloud provider in response to events or triggers, such as HTTP requests, database changes, or messages. The cloud provider automatically provisions, scales, and manages the resources needed to run the code, and charges only for the time and resources consumed by the execution. A serverless application runs from an ephemeral, event-triggered, and stateless container that is fully managed by a cloud provider. This means that the container is created on demand when an event occurs, and is destroyed when the execution is completed. The container does not store any persistent state or data, and is isolated from other containers. The cloud provider handles the load balancing, fault tolerance, security, and monitoring of the container. A serverless application can leverage various cloud services, such as databases, storage, messaging, analytics, and machine learning, to perform complex tasks and functionalities. Serverless computing is a cloud-native development model that enables developers to focus on the business logic and deliver faster and more scalable applications. References:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 8: Cloud and Virtual Network Security, Lesson 8.1: Cloud Computing Concepts

What is serverless? - Red Hat

Serverless computing and applications | Microsoft Azure

 Intelligent Multi-Scan (IMS) is a feature that enables the Cisco ESA to perform multiple anti-spam scans on each message and apply different actions based on the results. IMS also includes the Graymail Detection and Safe Unsubscribe services, which allow the ESA to identify and filter messages that are not strictly spam, but are low-priority or unwanted by the end user, such as newsletters, social media notifications, or marketing emails. The Graymail Detection service can classify messages into different categories, such as bulk, mass, or subscription, and assign different scores and verdicts to them. The Safe Unsubscribe service can provide a link for the end user to safely unsubscribe from the sender’s mailing list, without revealing their email address or opening a malicious URL. To enable the blocking of greymail for the end user, the administrator must first enable the IMS feature globally and then configure the Graymail and Safe Unsubscribe settings in the mail policies. The administrator can also enable the centralized spam quarantine and the end-user quarantine interface to allow the end user to manage their own quarantined messages. References :=

Best Practice Guide for Anti-Spam, Anti-Virus, Graymail and Outbreak Filters

Graymail Detection and Safe Unsubscribing Functionality

 A private cloud is a cloud deployment model that is dedicated to a single organization and provides exclusive access to its resources and services. A private cloud can be hosted on-premises or off-premises by a third-party provider, but in either case, the organization has full control and visibility over the security, privacy, and compliance of its data and applications. A private cloud can also leverage the security features and best practices of the public cloud service provider, if applicable, while maintaining a higher degree of isolation and customization. A private cloud is the most secure deployment model when considering risks to cloud adoption, as it minimizes the exposure of sensitive data to external threats, reduces the dependency on the security posture of the cloud service provider, and enables the organization to meet its specific security and regulatory requirements123. References: 1: Best Practices to Manage Risks in the Cloud - ISACA 2: Security in the Microsoft Cloud Adoption Framework for Azure 3: Five challenges to cloud adoption and how to overcome them - PwC Middle East

Cisco FTDv is a virtual appliance that combines the features of Cisco ASA and Cisco Firepower NGIPS. It provides stateful firewall, IPS, URL filtering, malware protection, and other advanced security functions. Cisco ASAv is a virtual appliance that only provides stateful firewall and VPN features. It does not support URL filtering or other Firepower functions. Therefore, Cisco FTDv provides more features than ASAv, especially for next-generation firewall capabilities. References :=

Cisco Firewall in AWS - Should i use ASAv or FTDv/FMCv?

Difference between Cisco ASAv, NGIPSv and FTDv…?

Are there any differences in features between Cisco ASA hardware …

Cisco Advanced Phishing Protection (AAP) is a solution that helps organizations protect against fraudulent senders and identity deception-based attacks, such as business email compromise (BEC) and spear phishing. AAP uses advanced machine learning techniques, real-time behavior analytics, relationship modeling, and telemetry to perform two main functions12:

It determines if the email messages are malicious by assessing the threat posture of the sender and the content of the message. It also validates the reputation and authenticity of the sender by checking various indicators, such as the domain, the IP address, the SPF, DKIM, and DMARC records, the display name, the reply-to address, and the header information. AAP assigns a risk score to each email message and provides a verdict of clean, malicious, or suspicious. It also adds a banner to the email message to inform the recipient of the risk level and the recommended action.

It does a real-time user web browsing behavior analysis by monitoring the user’s interaction with the email message and the links embedded in it. It tracks the user’s clicks, mouse movements, dwell time, and other indicators to detect any signs of hesitation, confusion, or curiosity. It also analyzes the destination URL of the links and compares it with the known malicious websites. If AAP detects any anomalous or risky behavior, it intervenes with a warning message or a redirect page to educate the user and prevent them from falling victim to the phishing attack. References := 1: Cisco’s Security Innovations to Protect the Endpoint and Email 2: Cisco Advanced Phishing Protection - Cisco Video Portal

 SNMP (Simple Network Management Protocol) is the most commonly used protocol for network telemetry. SNMP is a standard protocol that allows network devices to exchange management information1. SNMP agents run on network devices and collect data about their status, performance, configuration, and events. SNMP managers run on network management systems and query the agents for data or receive notifications from them. SNMP can also be used to configure or control network devices remotely2. SNMP is widely supported by various vendors and platforms, and it provides a simple and flexible way to monitor and manage networks3.

 1: What is SNMP? | Cisco 2: SNMP Basics: What is SNMP and How It Works | SolarWinds 3: Network Telemetry Explained: Frameworks, Applications & Standards | Splunk

A next-generation endpoint security solution is a modern approach of combining user and system behavior analytics with AI and machine learning to provide endpoint security12. These solutions are specifically designed to detect unknown malware and zero-day threats, which other non-next-generation solutions might fail to detect3. Two key deliverables that help justify the implementation of a next-generation endpoint security solution are:

Continuous monitoring of all files that are located on connected endpoints. This feature allows the solution to scan and analyze all files on the endpoints, regardless of their origin or type, and identify any malicious or suspicious behavior. This helps to prevent malware from infecting the endpoints or spreading to other devices on the network4.

Real-time feeds from global threat intelligence centers. This feature enables the solution to leverage the latest information and insights from various sources, such as security researchers, vendors, and customers, to detect and block new and emerging threats. This helps to keep the endpoints updated and protected from the most advanced and sophisticated attacks5.

References := 1: Overview of next-generation protection in Microsoft Defender for Endpoint 2: What Is Next-Generation Endpoint Security? 2024 Ultimate Guide - SelectHub 3: [Next

DNS tunneling is a technique that uses the DNS protocol to exfiltrate data or establish command and control channels between a compromised host and an attacker-controlled server. DNS tunneling can bypass network security controls that allow outbound DNS traffic without inspection or filtering. To stop DNS tunneling, two recommended approaches are:

Enforce security over port 53. This means applying firewall rules, access control lists, or other mechanisms to restrict outbound DNS traffic to only authorized DNS servers and domains. Additionally, DNS traffic should be inspected and analyzed for anomalies, such as unusually large or frequent queries, non-standard encoding, or suspicious domains. This can help detect and block DNS tunneling attempts.

Use Cisco Umbrella. Cisco Umbrella is a cloud-based security service that provides DNS security, web filtering, and threat intelligence. Cisco Umbrella can prevent DNS tunneling by blocking malicious domains, enforcing policies based on content categories, and applying machine learning to identify and stop emerging threats. Cisco Umbrella can also provide visibility and reporting on DNS activity and security events.

References :=

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 5: Securing the Cloud, Lesson 5.2: DNS Security

What Is DNS Tunneling? - Palo Alto Networks

An Introduction to DNS Tunneling Detection & Data Exfiltration via DNS - Vercara

To add a device into Cisco DNA Center with the native API, the POST method and the name attribute are required. The POST method is used to create a new resource on the server, such as a device. The name attribute is used to specify the hostname or IP address of the device to be added. The POST method requires a JSON body that contains the device information, such as the name, type, role, credentials, and other optional parameters. The Cisco DNA Center API documentation provides an example of the JSON body and the response for adding a device1. The Cisco DNA Center Platform User Guide also explains how to use the native API to add devices2. References := 1: Cisco DNA Center API Documentation - Add Device 2: Cisco DNA Center Platform User Guide, Release 2.3.5 - Manage Devices Using the Native API

The best way to prevent the session during the initial TCP communication is to configure policies to stop and reject communication from the known malicious domain. This will prevent the ESA from accepting any messages from that domain and send a negative SMTP response code back to the sender. This will also save the ESA’s resources and bandwidth, as it will not have to process or store the malicious emails. This can be done by creating a sender group in the Host Access Table (HAT) that matches the malicious domain and setting the mail flow policy to “Reject” or “Throttle”. Alternatively, a message filter can be created that checks the envelope sender against the malicious domain and applies the “stop_connection” or “reject_connection” action12.

The other options are not as effective as stopping and rejecting the communication at the TCP level. Configuring the Cisco ESA to drop the malicious emails (option A) will still allow the ESA to accept the messages and then silently discard them, which will consume the ESA’s resources and bandwidth, and also not notify the sender of the rejection. Configuring policies to quarantine malicious emails (option B) will also require the ESA to accept and store the messages, which will take up disk space and require manual or automated management of the quarantine. Configuring the Cisco ESA to reset the TCP connection (option D) will abruptly terminate the connection without sending a proper SMTP response code, which may cause the sender to retry the delivery and generate more traffic. Resetting the TCP connection is also considered a less polite and less compliant way of rejecting messages than sending a negative SMTP response code34. References: 1: How to Block a Sender Domain on the Email Security Appliance 2: Message Filters on the Cisco Email Security Appliance 3: How to Configure the Cisco Email Security Appliance to Reject or Drop Messages 4: Cisco Email Security Appliance User Guide - Configuring Mail Policies

 Cisco NBAR2 is a classification engine that recognizes and classifies a wide variety of protocols and applications based on their deep packet inspection (DPI) signatures. NBAR2 enables the platform to identify and output various applications within the network traffic flows, such as web, email, voice, video, and so on. NBAR2 also supports custom protocols and applications, allowing the platform to classify traffic based on user-defined criteria. NBAR2 helps the platform to apply the appropriate quality of service (QoS), security, and policy for each application or protocol. References :=

Some possible references are:

Cisco NBAR2

Classifying Network Traffic Using NBAR

Next Generation NBAR (NBAR2)

 Suppression is a feature of Cisco Next Generation Intrusion Prevention System (NGIPS) that allows you to reduce false positives and unwanted alerts by filtering out specific traffic from the intrusion detection and prevention process. You can configure suppression based on different criteria, such as port, rule, source, destination, and network. The two valid suppression types for this question are port and rule. Port suppression allows you to exclude traffic based on the source or destination port number, or both. For example, you can suppress alerts for port 80 (HTTP) traffic if you are not interested in web-based attacks. Rule suppression allows you to exclude traffic based on the rule ID (SID) or the rule category. For example, you can suppress alerts for rules that belong to the policy-violations category if you are not concerned about them. You can also suppress alerts for specific rules that are not relevant to your network or generate too many false positives. References

The purpose of a Denial-of-Service (DoS) attack is to disrupt the normal operation of a targeted system, server, or network by overwhelming it with a flood of internet traffic. This is achieved by utilizing multiple compromised computer systems as sources of attack traffic. The overwhelming amount of traffic can cause the targeted system to slow down significantly or even crash and become unavailable to legitimate users, thereby denying service to intended users.

Explanation

Cisco DNA Center has four general sections aligned to IT workflows:

Design: Design your network for consistent configurations by device and by site. Physical maps and logical topologies help provide quick visual reference. The direct import feature brings in existing maps, images, and topologies directly from Cisco Prime Infrastructure and the Cisco Application Policy Infrastructure Controller

Enterprise Module (APIC-EM), making upgrades easy and quick. Device configurations by site can be

consolidated in a “golden image” that can be used to automatically provision new network devices. These new devices can either be pre-staged by associating the device details and mapping to a site. Or they can be claimed upon connection and mapped to the site.

Policy: Translate business intent into network policies and apply those policies, such as access control, traffic routing, and quality of service, consistently over the entire wired and wireless infrastructure. Policy-based access control and network segmentation is a critical function of the Cisco Software-Defined Access (SDAccess) solution built from Cisco DNA Center and Cisco Identity Services Engine (ISE). Cisco AI Network Analytics and Cisco Group-Based Policy Analytics running in the Cisco DNA Center identify endpoints, group similar endpoints, and determine group communication behavior. Cisco DNA Center then facilitates creating policies that determine the form of communication allowed between and within members of each group. ISE then activates the underlying infrastructure and segments the network creating a virtual overlay to follow these

policies consistently. Such segmenting implements zero-trust security in the workplace, reduces risk, contains

threats, and helps verify regulatory compliance by giving endpoints just the right level of access they need.

Provision: Once you have created policies in Cisco DNA Center, provisioning is a simple drag-and-drop task.

The profiles (called scalable group tags or “SGTs”) in the Cisco DNA Center inventory list are assigned a policy, and this policy will always follow the identity. The process is completely automated and zero-touch. New devices added to the network are assigned to an SGT based on identity—greatly facilitating remote office setups.

Assurance: Cisco DNA Assurance, using AI/ML, enables every point on the network to become a sensor, sending continuous streaming telemetry on application performance and user connectivity in real time. The clean and simple dashboard shows detailed network health and flags issues. Then, guided remediation

automates resolution to keep your network performing at its optimal with less mundane troubleshooting work.

The outcome is a consistent experience and proactive optimization of your network, with less time spent on troubleshooting tasks.

The command show authen sess int gi0/1 displays the authentication session information for the interface gi0/1, such as the MAC address, the authentication method, the authentication state, the session timeout, and the VLAN assignment. This command is useful for verifying the status of an 802.1X connection on a specific interface. The other commands are not related to 802.1X authentication. The command show authorization status displays the authorization status for the current user. The command show connection status gi0/1 is not a valid Cisco command. The command show ver gi0/1 displays the version information for the interface gi0/1. References: 802.1X Authentication Commands, Configuring IEEE 802.1x Port-Based Authentication, What Cisco command shows you the status of an 802.1X connection on interface gi0/1?

Explanation

Each of the ASAs interfaces need to be grouped into one or more bridge groups. Each of these groups acts as an independent transparent firewall. It is not possible for one bridge group to communicate with another bridge group without assistance from an external router.

As of 8.4(1) upto 8 bridge groups are supported with 2-4 interface in each group. Prior to this only one bridge group was supported and only 2 interfaces.

Up to 4 interfaces are permitted per bridge–group (inside, outside, DMZ1, DMZ2)

Explanation

Explanation

The following are the benefits of deploying Cisco Advanced Phishing Protection on the Cisco Email Security

Gateway:

Prevents the following:

+ Attacks that use compromised accounts and social engineering.

+ Phishing, ransomware, zero-day attacks and spoofing.

+ BEC with no malicious payload or URL.

Cisco AnyConnect is a client-based VPN solution that provides secure remote access for individual users from their machines. It allows customization of access policies based on user identity, such as group membership, device posture, or location. This enables granular control over who can access what resources on the network. Cisco AnyConnect also supports various authentication methods, such as certificates, multifactor authentication, or single sign-on. Cisco AnyConnect can be deployed with Cisco Adaptive Security Appliance (ASA) or Cisco Firepower Threat Defense (FTD) as the VPN headend.

Cisco DMVPN is a network-based VPN solution that provides dynamic, on-demand, and scalable connectivity for branch offices, teleworkers, and business partners. It uses multipoint GRE (mGRE) tunnels and Next Hop Resolution Protocol (NHRP) to establish direct spoke-to-spoke communications without traversing the hub. It also supports IPsec encryption and various routing protocols over the tunnel. Cisco DMVPN can be deployed with Cisco IOS routers as the VPN headend.

The advantages of using Cisco AnyConnect over DMVPN are:

It enables VPN access for individual users from their machines, which is useful for mobile workers or telecommuters who need to connect to the network from anywhere.

It allows customization of access policies based on user identity, which is useful for enforcing security and compliance requirements for different types of users or devices.

The advantages of using DMVPN over Cisco AnyConnect are:

It provides spoke-to-spoke communications without traversing the hub, which reduces latency and bandwidth consumption for traffic between remote sites.

It allows different routing protocols to work over the tunnel, which provides flexibility and scalability for network design and management.

Explanation

The user “admin5” was configured with privilege level 5. In order to allow configuration (enter global

configuration mode), we must type this command:

(config)#privilege exec level 5 configure terminal

Without this command, this user cannot do any configuration.

Note: Cisco IOS supports privilege levels from 0 to 15, but the privilege levels which are used by default are privilege level 1 (user EXEC) and level privilege 15 (privilege EXEC)

Explanation

In order to use AAA along with an external token authentication mechanism, set the “Method” as “Both” in

the Authentication.

Cisco Identity Services Engine (ISE) is a product that provides comprehensive and scalable access policy enforcement for wired and wireless networks. ISE supports TACACS+ for device administration, which allows for granular control over the commands and actions that network administrators can perform on network devices. ISE also supports 802.1X, MAB, and WebAuth for network access, which enables authentication and authorization of users and endpoints based on various attributes, such as identity, device type, posture, location, and time. ISE can also integrate with other Cisco security products, such as Cisco Stealthwatch and Cisco AMP for Endpoints, to provide enhanced visibility and threat detection. Therefore, ISE is the product that meets all of the requirements stated in the question. References :=

Some possible references are:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 4: Secure Network Access, Identity Management, and Secure Access

TACACS+ Configuration Guide, Configuring TACACS

Cisco Identity Services Engine Administrator Guide, Release 2.7, Device Administration

Cisco Identity Services Engine Administrator Guide, Release 2.7, Network Access Devices

Cisco Identity Services Engine Administrator Guide, Release 2.7, Policy Sets

To enable malware file scanning for the Secure Internet Gateway (SIG), you need to enable Intelligent Proxy, which is a feature of Cisco Umbrella that provides selective proxying of web requests based on the risk level of the domain1. Intelligent Proxy allows SIG to inspect the content of potentially malicious web requests and block or allow them based on the configured policies2. Intelligent Proxy also enables SSL decryption, which is necessary to scan encrypted web traffic for malware3. Enabling IP Layer enforcement, activating the Advanced Malware Protection license, and activating SSL decryption are not required prerequisites to enable malware file scanning for the SIG, although they may provide additional security benefits45. References: 1: Intelligent Proxy - Cisco Umbrella 2: Cisco Umbrella SIG Advantage - Cisco Umbrella 3: [SSL Decryption - Cisco Umbrella] 4: [IP Layer Enforcement - Cisco Umbrella] 5: [Advanced Malware Protection - Cisco Umbrella]

 File discovery is a feature of Cisco AMP that allows the engineering team to search for files across all endpoints in the network based on their SHA-256 hashes. File discovery can help identify whether a file is installed on a selected few workstations, and also provide information such as file name, path, size, date, and disposition. File discovery can be used to locate malicious files, unauthorized software, or sensitive data on the endpoints. File discovery can be accessed from the Outbreak Control menu in the AMP console1. References: https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/215176-configure-a-simple-custom-detection-list.html

 The configuration snippet in the image is a part of IKEv2 configuration where the name mangler is associated with the organizational unit (OU) “MANGLER”. In Cisco’s IKEv2 implementation, this specific configuration means that only an IKEv2 peer whose certificate has an OU attribute set to “MANGLER” can establish an IKEv2 Security Association successfully. This is a method of ensuring that only peers with certificates issued to a specific organizational unit can connect, enhancing security by limiting unauthorized access. The name mangler is a feature that allows the administrator to specify a string that must be present in the peer’s certificate for authentication. The name mangler can be applied to any certificate field, such as common name (CN), organization (O), or OU. The name mangler can also be used to modify the peer’s identity based on the certificate field, such as appending or prepending a string to the identity. The name mangler is configured under the IKEv2 profile using the command crypto ikev2 profile profile-name identity name-mangler name-mangler-name dn field-name. In this case, the name mangler is applied to the OU field of the peer’s certificate. The other options are incorrect because they do not describe the effect of the name mangler configuration. Option A is incorrect because the name mangler does not affect the identity matching for the IKEv2 authorization policy. The identity matching is based on the peer’s identity type and value, which can be different from the certificate field. Option C is incorrect because the name mangler does not encrypt the OU field of the peer’s certificate. The OU field is part of the certificate’s subject, which is not encrypted in the IKEv2 messages. Option D is incorrect because the name mangler does not set the OU field of the peer’s certificate. The OU field is determined by the certificate authority (CA) that issues the certificate, and the name mangler only verifies or modifies the peer’s identity based on the OU field. References : Configuring Internet Key Exchange Version 2, Internet Key Exchange Version 2 CLI Constructs, Tutorial: Setting up a certificate-based IKEv2 VPN connection (RSA)

Explanation

The command “snmp-server user user-name group-name [remote ip-address [udp-port port]] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password]} [access access-list]” adds a new user (in this case “andy”) to an SNMPv3 group (in this case group name “myv3”) and configures a password for the user.

In the “snmp-server host” command, we need to:

+ Specify the SNMP version with key word “version {1 | 2 | 3}”

+ Specify the username (“andy”), not group name (“myv3”).

Note: In “snmp-server host inside …” command, “inside” is the interface name of the ASA interface through which the NMS (located at 10.255.254.1) can be reached.

Cisco FMC is the centralized management solution for Cisco FTD appliances. It provides configuration, monitoring, analysis, and reporting capabilities for FTD devices. Cisco FMC can also manage Cisco ASAs that have been converted to FTD devices. Cisco FMC can be deployed as a physical or virtual appliance, or as a cloud service (CDO). However, since the organization does not have a local VM, CDO is not an option. Cisco FDM is the on-box management solution for FTD devices, which does not support centralized management or ASA migration. CSM is the legacy management solution for Cisco ASAs, which does not support FTD devices. References :=

Some possible references are:

Cisco Firepower Management Center Configuration Guide, Version 6.7

Install and Upgrade FTD on Firepower Appliances

Firepower Threat Defense simplifies application security

Explanation

Domain name system (DNS) is the protocol that translates human-friendly URLs, such as securitytut.com, into IP addresses, such as 183.33.24.13. Because DNS messages are only used as the beginning of each communication and they are not intended for data transfer, many organizations do not monitor their DNS traffic for malicious activity. As a result, DNS-based attacks can be effective if launched against their networks. DNS tunneling is one such attack.

An example of DNS Tunneling is shown below:

The attacker incorporates one of many open-source DNS tunneling kits into an authoritative DNSnameserver (NS) and malicious payload.2. An IP address (e.g. 1.2.3.4) is allocated from the attacker’s infrastructure and a domain name (e.g. attackerdomain.com) is registered or reused. The registrar informs the top-level domain (.com) nameservers to refer requests for attackerdomain.com to ns.attackerdomain.com, which has a DNS record mapped to 1.2.3.43. The attacker compromises a system with the malicious payload. Once the desired data is obtained, the payload encodes the data as a series of 32 characters (0-9, A-Z) broken into short strings (3KJ242AIE9, P028X977W,…).4. The payload initiates thousands of unique DNS record requests to the attacker’s domain with each string as

RADIUS Change of Authorization (CoA) is a feature of Cisco ASA that allows VPN users to be postured against Cisco ISE without requiring an inline posture node. RADIUS CoA enables the ISE to send a message to the ASA to change the authorization attributes of an existing VPN session, such as the assigned IP address, ACL, or group policy. This way, the ISE can dynamically adjust the access level of the VPN user based on the posture assessment results, without the need for an intermediate device to enforce the policy change12. RADIUS CoA is supported by the ASA since version 9.2.13. References: 1: ASA Version 9.2.1 VPN Posture with ISE Configuration Example - Cisco 2: How To: ISE and ASA Integration using CoA for Posture - Cisco Community 3: How To Configure Posture with AnyConnect Compliance … - Cisco CommunityQUESTION NO: 94

What two mechanisms are used to redirect users to a web portal to authenticate to ISE for guest services?

(Choose two)

A. multiple factor auth

B. local web auth

C. single sign-on

D. central web auth

E. TACACS+

Answer: B, D

 Local web authentication (LWA) and central web authentication (CWA) are two mechanisms that are used to redirect users to a web portal to authenticate to ISE for guest services. Both methods involve the use of a redirect access control list (ACL) that allows the user to access only the web portal URL and blocks all other traffic until the user is authenticated. The difference between LWA and CWA is where the web portal and the authentication logic are hosted.

LWA: The web portal and the authentication logic are hosted on the wireless LAN controller (WLC). The WLC sends a RADIUS access-accept message to the network access device (NAD) along with the redirect ACL and the web portal URL. The NAD then redirects the user to the web portal on the WLC, where the user enters their credentials. The WLC verifies the credentials with the ISE and grants or denies access to the user. The advantage of LWA is that it does not require any configuration on the ISE, but the disadvantage is that it does not support advanced features such as posture assessment, profiling, or authorization policies.

CWA: The web portal and the authentication logic are hosted on the ISE. The WLC sends a RADIUS access-challenge message to the NAD along with the redirect ACL and the web portal URL. The NAD then redirects the user to the web portal on the ISE, where the user enters their credentials. The ISE verifies the credentials and sends a RADIUS access-accept message to the WLC with the authorization profile and the final ACL. The WLC then applies the authorization profile and the final ACL to the user session. The advantage of CWA is that it supports advanced features such as posture assessment, profiling, or authorization policies, but the disadvantage is that it requires more configuration on the ISE.

References :=

Configure Guest Access

Web Authentication Redirection to Original URL

Configure Local Web Authentication with External Authentication

 Cisco AMP for Endpoints is the Cisco security solution that determines if an endpoint has the latest OS updates and patches installed on the system. Cisco AMP for Endpoints is a cloud-based endpoint protection platform that provides advanced malware prevention, detection, and response capabilities. One of the features of Cisco AMP for Endpoints is the Endpoint Compliance Scanner, which allows administrators to create and enforce policies that check the compliance status of endpoints based on various criteria, such as OS version, patch level, antivirus status, firewall status, and more. The Endpoint Compliance Scanner can also remediate non-compliant endpoints by applying patches, updating antivirus signatures, enabling firewall, and so on. By using the Endpoint Compliance Scanner, administrators can ensure that all endpoints are up to date and secure against known vulnerabilities and threats. References:

Cisco AMP for Endpoints

Endpoint Compliance Scanner

Implementing and Operating Cisco Security Core Technologies (SCOR) - Module 4: Endpoint Protection and Detection

The Cisco ASA must support TLS proxy for encrypted Cisco Unified Communications traffic. This means that the ASA acts as a proxy between the Cisco IP Phone and the Cisco Unified Communications Manager (UCM), decrypting, inspecting, and re-encrypting the voice signaling traffic. To do this, the ASA needs to have the certificates of the devices that the phone trusts, such as the UCM servers and the TFTP servers. These certificates are stored in a Certificate Trust List (CTL) file that the phone downloads from the UCM before registration. Therefore, the ASA must be added to the CTL file on the UCM platform, so that the phone can verify the identity of the ASA as a proxy. The other options are not relevant for this scenario. The Endpoint Trust List is a list of certificates that the UCM trusts for encrypted endpoints. The Enterprise Proxy Service is a feature that allows the UCM to route calls to and from the public switched telephone network (PSTN) through a SIP proxy server. The Secured Collaboration Proxy is a feature that allows the UCM to encrypt the media streams between endpoints using Secure Real-Time Transport Protocol (SRTP). References :=

Cisco Secure Firewall ASA Unified Communications Guide - TLS Proxy for Encrypted Voice Inspection

TLS Proxy for Encrypted Voice Inspection - Cisco

Where must the ASA be added on the Cisco UC Manager platform?

 To prevent rogue NTP servers from inserting themselves as the authoritative time source, the administrator needs to configure NTP authentication and specify the interface for syncing to the NTP server. NTP authentication allows the ASA to verify the identity and integrity of the NTP packets received from the server, using a shared secret key. Specifying the interface for syncing to the NTP server ensures that the ASA uses the correct source address for sending and receiving NTP packets, and avoids potential routing issues. The other options are not required or relevant for this task. Specifying the NTP version is optional and does not affect security. Configuring the NTP stratum is only applicable for NTP servers, not clients. The ASA can only act as an NTP client, not a server. Setting the NTP DNS hostname is not recommended, as it introduces a dependency on DNS resolution and may cause synchronization problems if the DNS server changes the IP address of the NTP server. References :=

Some possible references are:

Configure NTP Authentication on Secure Network Analytics

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6 - Basic Settings

Cisco ASA NTP and Clock Configuration with Examples

Explanation

Cisco Email Security Appliance (ESA) protects the email infrastructure and employees who use email at work

by filtering unsolicited and malicious email before it reaches the user. Cisco ESA easily integrates into existing

email infrastructures with a high degree of flexibility. It does this by acting as a Mail Transfer Agent (MTA) within

the email-delivery chain. Another name for an MTA is a mail relay.

To force a session to be adjusted after a policy change is made, two configurations are required on Cisco ISE and on Cisco TrustSec devices: Dynamic Authorization and Change of Authorization (CoA). Dynamic Authorization allows Cisco ISE to send commands to network devices to change the authorization status of a user session. CoA is a feature that enables Cisco ISE to send a RADIUS message to a network device to reauthenticate or disconnect a user session. These two configurations enable Cisco ISE to apply the updated policy to the user session without requiring the user to log out and log in again.

According to the source book, the steps to configure Dynamic Authorization and CoA are as follows1:

On Cisco ISE, navigate to Administration > Network Resources > Network Devices and select the network device that supports TrustSec.

On the Edit Network Device page, select the Advanced TrustSec Settings tab and check the Support for CoA check box.

On the same tab, select the appropriate CoA type from the drop-down list. The options are RADIUS Disconnect, Port Bounce, and Reauth.

Click Submit to save the changes.

On the network device, enter the global configuration mode and issue the command aaa server radius dynamic-author to enable Dynamic Authorization.

Optionally, you can specify the source interface, authentication key, and port number for the Dynamic Authorization messages.

Exit the global configuration mode and save the configuration.

 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 4: Secure Connectivity, Lesson 4.2: Implementing TrustSec, Topic 4.2.3: Configuring TrustSec on Cisco ISE and Network Devices, pp. 4-83 to 4-85.

Explanation

Cisco Context Directory Agent (CDA) is a mechanism that maps IP Addresses to usernames in order to allow

security gateways to understand which user is using which IP Address in the network, so those security

gateways can now make decisions based on those users (or the groups to which the users belong to).

CDA runs on a Cisco Linux machine; monitors in real time a collection of Active Directory domain controller (DC) machines for authentication-related events that generally indicate user logins; learns, analyzes, and caches mappings of IP Addresses and user identities in its database; and makes the latest mappings available to its consumer devices.

A network administrator can transparently identify users using Active Directory on the Cisco WSA in two ways:

Create NTLM or Kerberos authentication realm and enable transparent user identification. This option allows the WSA to use the NTLM or Kerberos protocol to authenticate users without prompting them for credentials. The WSA must join the Active Directory domain and have a valid service principal name (SPN) for this option to work1.

Deploy a separate Active Directory agent such as Cisco Context Directory Agent (CDA). This option allows the WSA to receive user-to-IP mappings from the CDA, which monitors the Active Directory domain controllers for user logon events. The CDA must be installed on a Windows server and have access to the domain controllers and the WSA2.

The other options are not ways to transparently identify users using Active Directory on the Cisco WSA. Creating an LDAP authentication realm and disabling transparent user identification will require users to enter their credentials manually. Installing the eDirectory client on each client workstation or deploying a separate eDirectory server are not related to Active Directory, but to Novell eDirectory, which is a different directory service3.

References := 1: User Guide for AsyncOS 11.0 for Cisco Web Security Appliances, Chapter: Acquire End-User Credentials, Topic: Active Directory/Kerberos, page 4-3. 2: User Guide for AsyncOS 11.0 for Cisco Web Security Appliances, Chapter: Acquire End-User Credentials, Topic: Active Directory Agent, page 4-5. 3: User Guide for AsyncOS 11.0 for Cisco Web Security Appliances, Chapter: Acquire End-User Credentials, Topic: eDirectory, page 4-8.

In Cisco Secure Endpoint, to create a custom detection file list for detecting and quarantining future files, an advanced custom detection should be created, and the hash of each file to be detected and quarantined should be uploaded. This allows the system to uniquely identify and take action on files based on their hash values, providing a precise method for targeting specific malicious or unwanted files.

A cloud access security broker (CASB) is a security solution that helps protect cloud-hosted services and applications from cyberattacks and data breaches. A CASB acts as an intermediary between cloud users and cloud providers, and enforces the organization’s security policies and compliance requirements. A CASB integrates with other cloud solutions via APIs and monitors the cloud activity and data across multiple platforms and devices. A CASB can also create incidents based on events from the cloud solution, such as unauthorized access, data leakage, malware infection, or policy violation. A CASB can then alert the administrators, block the malicious actions, or remediate the issues. A CASB provides visibility, control, and protection for the organization’s cloud environment12.

References :=

What Is a Cloud Access Security Broker (CASB)? | Microsoft

What is a CASB Cloud Access Security Broker? - CrowdStrike

Explanation

The Stealthwatch Cloud Private Network Monitoring (PNM) Sensor is an extremely flexible piece of technology,

capable of being utilized in a number of different deployment scenarios. It can be deployed as a complete

Ubuntu based virtual appliance on different hypervisors (e.g. –VMware, VirtualBox). It can be deployed on

hardware running a number of different Linux-based operating systems.

P2, P3, and P6 only. Dynamic ARP inspection (DAI) is a security feature that validates ARP packets in a network and prevents ARP spoofing attacks. DAI relies on the DHCP snooping database to verify the IP-to-MAC bindings of hosts on the network. DAI operates on untrusted ports, which are ports that connect to hosts or devices that generate ARP traffic. Trusted ports are ports that connect to other switches or routers that do not generate ARP traffic.

In this scenario, the DHCP snooping database resides on router R1, which means that switch SW2 needs to trust the port P3 that connects to R1. This way, SW2 can receive the DHCP snooping information from R1 and populate its own database. The port P4 that connects to switch SW3 also needs to be trusted, because SW3 does not generate ARP traffic. The ports P2 and P6 that connect to hosts P6 and P7 need to be untrusted, because they generate ARP traffic and need to be validated by DAI. The port P1 that connects to host P5 does not need to be configured as untrusted, because DAI is not enabled on switch SW1.

To understand the concept of DAI and how to configure it, you can refer to the following sections of the source book:

Section 1.1.2: Describe the concepts of network security

Section 1.1.2.8: Describe the concepts of DAI

Section 1.1.2.9: Describe the concepts of DHCP snooping

Section 1.1.2.10: Describe the concepts of trusted and untrusted ports

Section 1.1.2.11: Describe the concepts of DAI configuration

Explanation

Explanation

Each rule also has an action, which determines whether you monitor, trust, block, or allow matching traffic.

Note: With action “trust”, Firepower does not do any more inspection on the traffic. There will be no intrusion protection and also no file-policy on this traffic.

Cisco ASA NetFlow v9 Secure Event Logging (NSEL) is a security logging mechanism that is built on NetFlow Version 9 technology and provides stateful, IP flow tracking for significant events in a flow. NSEL requires a collector to receive and process the exported data records. To configure NSEL, you need to define a flow-export event type under a policy using the Modular Policy Framework (MPF). The event type specifies which events to export, such as flow-create, flow-denied, flow-teardown, flow-update, or all. You also need to configure the NSEL collectors, the template timeout intervals, and the flow-update interval. Optionally, you can disable the redundant syslog messages and reset the runtime counters.

The other statements are false because:

To view bandwidth usage for NetFlow records, the QoS feature is not required. You can use a NetFlow collector or analyzer to view the bandwidth usage and other statistics from the exported data records.

A sysopt command cannot be used to enable NSEL on a specific interface. NSEL is enabled globally on all interfaces by default when you configure a flow-export event type under a policy.

NSEL cannot be used without a collector configured. NSEL exports data records to the configured collectors using NetFlow over UDP. If no collector is configured, the data records are discarded.

Add the DNS entry for the new Cisco ISE node into the DNS server. This is because the fully qualified domain name (FQDN) of the new Cisco ISE node, for example, ise1.cisco.com, must be DNS-resolvable from the primary Administration ISE node. Otherwise, node registration will fail. The DNS server must contain the IP addresses and FQDNs of the ISE nodes that are part of the distributed deployment1.

The other options are incorrect because:

Changing the IP address of the new Cisco ISE node to the same network as the others is not necessary, as long as the nodes can communicate with each other over the network.

Making the new Cisco ISE node a secondary PAN before registering it with the primary is not possible, as the node must be registered first before changing its persona or role.

Opening port 8905 on the firewall between the Cisco ISE nodes is not required, as this port is used for communication between the primary and secondary Monitoring ISE nodes, not for node registration.

Multifactor authentication (MFA) is a security measure that requires two or more proofs of identity to grant access to network resources. These proofs can be something the user knows (such as a password or a PIN), something the user has (such as a token or a card), or something the user is (such as a fingerprint or a face scan). The benefit of using MFA is that it adds an extra layer of protection against unauthorized access, especially if the first factor (such as a password) is compromised or stolen. By requiring a second validation of identity, MFA reduces the risk of data breaches and identity theft. MFA can also help comply with regulatory and industry standards that mandate strong authentication for sensitive data and systems. References :=

Some possible references are:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Security Concepts, Lesson 1.3: Identity and Access Management

Multi-factor authentication best practices & strategy, NordLayer Blog

How to implement Multi-Factor Authentication (MFA), Microsoft Security Blog

Multi-factor authentication, Cyber.gov.au

What is Multi-Factor Authentication?, IBM

Explanation

Explanation

Cisco Umbrella protects users from accessing malicious domains by proactively analyzing and blocking unsafe destinations – before a connection is ever made. Thus it can protect from phishing attacks by blocking suspicious domains when users click on the given links that an attacker sent.

The crypto isakmp key command is used to configure a preshared key for ISAKMP authentication between two peers. The address 0.0.0.0 indicates that the key is valid for any peer address. Therefore, the same command must be entered on hostB with the same password in order to establish the tunnel with hostA. Changing the protocol to ikev2, using a different password, or changing the password to the default will not solve the problem, as they will create a mismatch in the authentication parameters. References:

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T, section “Prerequisites for Dynamic Multipoint VPN (DMVPN)”

DMVPN - Concepts & Configuration, section “DMVPN - What is it?”

DMVPN Hub as the CA Server for the DMVPN Network Configuration Example, section “Prerequisites”

Microsegmentation is a network security strategy that breaks a network into smaller network “segments” to boost security and control over data traffic1. Unlike traditional network security, which primarily defends the network’s outer boundaries, microsegmentation focuses on securing individual workloads and devices within the network2. Microsegmentation uses an allow-list model to significantly reduce the attack surface across different workload types and environments3. Microsegmentation is also referred to as application segmentation or east-west segmentation in a multicloud data center4.

Option B is the correct description of microsegmentation, as it captures the essence of applying a zero-trust model and specifying how applications on different servers or containers can communicate. Option A is incorrect, as deploying a container orchestration platform is not a sufficient condition for microsegmentation. Option C is incorrect, as deploying host-based firewall rules is not a necessary condition for microsegmentation. Option D is incorrect, as implementing private VLAN segmentation is a different technique from microsegmentation. References: An Introduction to Microsegmentation in Network Security. What Is Micro-Segmentation? - Cisco. What Is Microsegmentation? - Palo Alto Networks. What Is Microsegmentation in Networking? Beginner’s Guide.

Explanation

Micro-segmentation secures applications by expressly allowing particular application traffic and, by default,

denying all other traffic. Micro-segmentation is the foundation for implementing a zero-trust security model for

application workloads in the data center and cloud.

Cisco Tetration is an application workload security platform designed to secure your compute instances across

any infrastructure and any cloud. To achieve this, it uses behavior and attribute-driven microsegmentation

policy generation and enforcement. It enables trusted access through automated, exhaustive context from

various systems to automatically adapt security policies.

To generate accurate microsegmentation policy, Cisco Tetration performs application dependency mapping to

discover the relationships between different application tiers and infrastructure services. In addition, the

platform supports “what-if” policy analysis using real-time data or historical data to assist in the validation and risk assessment of policy application pre-enforcement to ensure ongoing application availability. The

normalized microsegmentation policy can be enforced through the application workload itself for a consistent approach to workload microsegmentation across any environment, including virtualized, bare-metal, and container workloads running in any public cloud or any data center. Once the microsegmentation policy is enforced, Cisco Tetration continues to monitor for compliance deviations, ensuring the segmentation policy is up to date as the application behavior change.

When a Cisco WSA receives a web request, it evaluates it against the policies in the policy table. Each policy type has a predefined, global policy, which maintains default actions for that policy type. If the web request does not match any user-defined policy, the WSA applies the global policy. The global policy can be configured to allow, block, or redirect the web request based on various criteria. The global policy acts as a catch-all policy for any web request that is not explicitly handled by a user-defined policy. References :=

User Guide for AsyncOS 11.0 for Cisco Web Security Appliances - Create Policies to Control Internet Requests

User Guide for AsyncOS 12.7 for Cisco Web Security Appliances - LD (Limited Deployment) - Acquire End-User Credentials

Cisco Container Platform (CCP) is a security product that enables administrators to deploy Kubernetes clusters in air-gapped sites without needing Internet access. CCP tenant images contain all the necessary binaries and don’t need internet access to function. CCP also supports offline installation and updates of the platform components. CCP is designed to simplify the deployment and management of containerized applications across hybrid cloud environments, while ensuring security and compliance. CCP integrates with Cisco security solutions such as Cisco Tetration and Cisco Stealthwatch Cloud to provide visibility and protection for Kubernetes clusters and workloads. CCP also leverages Cisco Intersight, a cloud-based management platform, to provide centralized monitoring and automation for CCP clusters. References:

Cisco Container Platform

350-701 SCOR Cisco CCNP Security Updated Questions in April

In XSS, an attacker will try to inject his malicious code (usually malicious links) into a database. When other users follow his links, their web browsers are redirected to websites where attackers can steal data from them. In a SQL Injection, an attacker will try to inject SQL code (via his browser) into forms, cookies, or HTTP headers that do not use data sanitizing or validation methods of GET/POST parameters.

Explanation

The Firepower System uses network discovery and identity policies to collect host, application, and user data for traffic on your network. You can use certain types of discovery and identity data to build a comprehensive map of your network assets, perform forensic analysis, behavioral profiling, access control, and mitigate and respond to the vulnerabilities and exploits to which your organization is susceptible.

The Cisco Advanced Malware Protection (AMP) solution enables you to detect and block malware, continuously analyze for malware, and get retrospective alerts. AMP for Networks delivers network-based advanced malware protection that goes beyond point-in-time detection to protect your organization across the entire attack continuum – before, during, and after an attack. Designed for Cisco Firepower® network threat appliances, AMP for Networks detects, blocks, tracks, and contains malware threats across multiple threat vectors within a single system. It also provides the visibility and control necessary to protect your organization against highly sophisticated, targeted, zero-day, and persistent advanced malware threats.

Malware installation: This may be done by hijacking DNS queries and responding with malicious IP addresses.

Command & Control communication: As part of lateral movement, after an initial compromise, DNS

communications is abused to communicate with a C2 server. This typically involves making periodic DNS

queries from a computer in the target network for a domain controlled by the adversary. The responses contain encoded messages that may be used to perform unauthorized actions in the target network.

Network footprinting: Adversaries use DNS queries to build a map of the network. Attackers live off the terrain so developing a map is important to them.

Data theft (exfiltration): Abuse of DNS to transfer data; this may be performed by tunneling other protocols like FTP, SSH through DNS queries and responses. Attackers make multiple DNS queries from a compromised computer to a domain owned by the adversary. DNS tunneling can also be used for executing commands and transferring malware into the target network.

Explanation

Community Cloud allows system and services to be accessible by group of organizations. It shares the

infrastructure between several organizations from a specific community. It may be managed internally by

organizations or by the third-party.

Cisco AMP for Endpoints is a cloud-based endpoint security solution that provides advanced malware protection, threat detection and response, and endpoint isolation. It protects endpoint systems through application control and real-time scanning, which are two of its multifaceted prevention techniques. Application control allows administrators to define and enforce policies on which applications can run on the endpoints, while real-time scanning continuously monitors files and processes for malicious activity. These features help stop threats from compromising the endpoints and reduce the attack surface. Cisco Secure Endpoint (Formerly AMP for Endpoints) - CiscoMalware Protection - Cisco AMP Advanced Malware Protection References:

Cisco Secure Endpoint (Formerly AMP for Endpoints) - Cisco

Malware Protection - Cisco AMP Advanced Malware Protection

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.1: Cisco AMP for Endpoints, Topic 3.1.1: Introduction to Cisco AMP for Endpoints

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.1: Cisco AMP for Endpoints, Topic 3.1.2: Cisco AMP for Endpoints Architecture

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.1: Cisco AMP for Endpoints, Topic 3.1.3: Cisco AMP for Endpoints Features

AES encryption is a symmetric block cipher algorithm that uses a single key to encrypt and decrypt data. It is more secure than 3DES, which is an older and slower algorithm that encrypts and decrypts a key three times in sequence. AES can use different key sizes, such as 128, 192, or 256 bits, depending on the security level required. The longer the key, the more rounds of encryption and decryption are performed, making it harder to break. AES encryption is based on a substitution-permutation network, which consists of a series of operations that transform the input data into the output data using the key. References :=

https://www.simplilearn.com/tutorials/cryptography-tutorial/aes-encryption

https://en.wikipedia.org/wiki/Advanced_Encryption_Standard

DHCP option 82 is a feature that allows the network access device (NAD) to insert additional information into the DHCP request packet from the endpoint. This information can include the switch ID, port number, VLAN ID, and other attributes that can help Cisco ISE to identify and profile the endpoint. Cisco ISE can use DHCP option 82 to assign the endpoint to the appropriate identity group, policy, and authorization profile. DHCP option 82 is also useful to prevent rogue DHCP servers from assigning IP addresses to endpoints, as Cisco ISE can verify the legitimacy of the DHCP request based on the option 82 data. To use DHCP option 82, the NAD must be configured to enable this feature and send the option 82 data to Cisco ISE. Cisco ISE must also be configured to accept and parse the option 82 data from the NAD. For more details on how to configure DHCP option 82 on Cisco ISE and NAD, see the references below. References:

Configuring the DHCP Probe

Securing Your Network From DHCP Risks

Can we use ISE as DHCP/DNS server to prevent guest traffic using …

Explanation

SQL injection usually occurs when you ask a user for input, like their username/userid, but the user gives

(“injects”) you an SQL statement that you will unknowingly run on your database. For example:

Look at the following example, which creates a SELECT statement by adding a variable (txtUserId) to a select

string. The variable is fetched from user input (getRequestString):

txtUserId = getRequestString(“UserId”);

txtSQL = “SELECT * FROM Users WHERE UserId = ” + txtUserId;

If user enter something like this: “100 OR 1=1” then the SzQL statement will look like this:

SELECT * FROM Users WHERE UserId = 100 OR 1=1;

The SQL above is valid and will return ALL rows from the “Users” table, since OR 1=1 is always TRUE. A

hacker might get access to all the user names and passwords in this database.

To implement external authentication against Active Directory, the Cisco ISE server needs to communicate with the domain controller using either RADIUS or LDAP protocols. RADIUS is used for network access control, while LDAP is used for identity management and directory services. Both protocols require the appropriate ports to be opened and firewall rules to be configured to allow the traffic between the ISE server and the domain controller.

The ISE account does not need to be a domain administrator in Active Directory to perform JOIN operations. It only needs to have the permissions to create computer objects and reset passwords in the domain. This can be achieved by delegating the rights to a specific OU or using a service account with limited privileges.

Active Directory supports user and machine authentication by using various methods, not only MSCHAPv2. MSCHAPv2 is a challenge-response authentication protocol that is commonly used with RADIUS and VPN connections. However, Active Directory also supports other protocols such as Kerberos, NTLM, EAP, and PEAP, depending on the scenario and the client capabilities.

Explanation

All IKE policies on the device are sent to the remote peer regardless of what is in the selected policy section.

The first IKE Policy matched by the remote peer will be selected for the VPN connection. Choose which policy is sent first using the priority field. Priority 1 will be sent first.

To connect Cisco Secure Workload to external orchestrators at a client site where incoming connections are not allowed, a reverse tunnel must be used. A reverse tunnel initiates the connection from the inside of the client's network out to the external orchestrator, thereby bypassing restrictions on incoming connections and enabling secure communication.

Explanation

To understand DHCP snooping we need to learn about DHCP spoofing attack first.

DHCP spoofing is a type of attack in that the attacker listens for DHCP Requests from clients and answers them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP Response often gives its IP address as the client default gateway -> all the traffic sent from the client will go through the attacker computer, the attacker becomes a “man-in-the-middle”.

The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the attacker is “closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the DHCP Server so that it can’t send the DHCP Response.

DHCP snooping can prevent DHCP spoofing attacks. DHCP snooping is a Cisco Catalyst feature that

determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted.

Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of DHCP

messages. All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP response is seen on an untrusted port, the port is shut down.

The port connected to a DHCP server should be configured as trusted port with the “ip dhcp snooping trust” command. Other ports connecting to hosts are untrusted ports by default.

In this question, we need to configure the uplink to “trust” (under interface Gi1/0/1) as shown below.

Explanation

Explanation

Customers must manage applications and data in PaaS.

The service password-encryption command is used to encrypt all passwords in the router configuration file, such as the enable password, the console password, the vty password, and the username password. This command prevents credentials from being seen if the router configuration was compromised, for example, by an attacker who gained access to the router or the backup files. The encryption used by this command is a weak algorithm that can be easily reversed, but it provides some level of protection against casual observers1.

The other commands are not used to encrypt passwords in the router configuration file. The username privilege 15 password and the username password commands are used to create local user accounts with or without administrative privileges, respectively. These commands store the passwords in clear text unless the service password-encryption command is enabled2. The service password-recovery command is used to enable or disable the password recovery mechanism on the router. This command does not affect the encryption of passwords in the configuration file3.

References := 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Security Concepts, Lesson 1.2: Securing Network Devices, Topic 1.2.1: Device Hardening, page 1-14. 2: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Security Concepts, Lesson 1.2: Securing Network Devices, Topic 1.2.2: Management Plane Security, page 1-17. 3: Cisco IOS Configuration Fundamentals Command Reference, Release 12.2, Chapter: service password-recovery, page 1.

 Cisco Umbrella evaluates policies from the top down and looks for a matching identity and destination. Once a match is found, Umbrella applies that policy’s settings to the identity and destination and stops evaluating all other DNS policies. Therefore, to ensure that the policy that the identity must use takes precedence over the second one, the engineer should make the correct policy first in the policy order. This way, Umbrella will match the identity to the correct policy before checking the second policy. The other options are not correct because they do not guarantee that the identity will use the correct policy. Configuring the default policy to redirect the requests to the correct policy will not work if the identity matches another policy before the default one. Placing the policy with the most-specific configuration last in the policy order will not work if the identity matches a less-specific policy before the last one. Configuring only the policy with the most recently changed timestamp will not work if the identity matches an older policy before the newer one. References :=

Some possible references are:

Policy Precedence - Umbrella User Guide1

Manage Policies - Umbrella User Guide2

Umbrella Policy order - Cisco Community3

Explanation

The telemetry information consists of three types of data:

+ Flow information: This information contains details about endpoints, protocols, ports, when the flow started,

how long the flow was active, etc.

+ Interpacket variation: This information captures any interpacket variations within the flow. Examples include

variation in Time To Live (TTL), IP and TCP flags, payload length, etc

+ Context details: Context information is derived outside the packet header. It includes details about variation in buffer utilization, packet drops within a flow, association with tunnel endpoints, etc.

Northbound APIs are the link between the applications and the SDN controller. The applications can tell the network what they need (data, storage, bandwidth, and so on) and the network can deliver those resources, or communicate what it has. These APIs support a wide variety of applications, such as load balancers, firewalls, orchestration platforms, and automation stacks. Northbound APIs also enable the applications to use the controller’s capabilities to program flows into the network devices using the southbound interface. Northbound APIs are usually RESTful APIs that use HTTP methods to exchange data in JSON or XML formats12.

OpenFlow is not a northbound API protocol, but a southbound API protocol that defines the communication between the SDN controller and the network switches or routers. OpenFlow allows the controller to manipulate the forwarding behavior of the switches or routers by sending commands and receiving events3 .

NETCONF is not a northbound API protocol, but a network management protocol that can be used as a southbound API protocol to configure and monitor network devices. NETCONF uses XML to encode data and remote procedure calls (RPCs) to exchange messages between the controller and the network devices . References := 1: What are SDN Northbound APIs (and SDN Rest APIs)? - SDxCentral 2: SDN North-bound and South-bound APIs and Interfaces 3: OpenFlow - Wikipedia : OpenFlow - SDxCentral : NETCONF - Wikipedia : NETCONF Protocol - Cisco

1sdxcentral.com2computernetworkingnotes.com3examguides.com

CoA-ACK is the CoA response code that is sent if an authorization state is changed successfully on a Cisco IOS device. CoA-ACK stands for CoA acknowledgment, which indicates that the device has received and processed the CoA request from the server and applied the new authorization settings to the session. The attributes returned within a CoA-ACK can vary based on the CoA request, such as session reauthentication, session termination, or session modification. The other options are not correct because they are not valid CoA response codes. CoA-NCL, CoA-NAK, and CoA-MAV are not defined in RFC 5176, which specifies the CoA protocol. CoA-NAK is the closest option, but it stands for CoA non-acknowledgment, which indicates that the device has rejected the CoA request from the server due to some error or inconsistency. References :=

Some possible references are:

RADIUS Change of Authorization - Cisco

Security and VPN Configuration Guide, Cisco IOS XE 17.x

RFC 5176 - Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)

 SaaS stands for Software as a Service, which is a cloud service offering that allows customers to access a web application that is being hosted, managed, and maintained by a cloud service provider. SaaS applications are typically accessed through a web browser or a mobile app, and the customers do not need to install, update, or maintain any software or hardware on their own. SaaS applications can provide various benefits, such as lower upfront costs, faster deployment, scalability, and automatic updates. Some examples of SaaS applications are Gmail, Salesforce, Zoom, and Netflix123.

IaC stands for Infrastructure as Code, which is a method of provisioning and managing cloud resources using code or scripts, rather than manual processes or graphical user interfaces. IaC can help automate and standardize the deployment and configuration of cloud infrastructure, as well as improve consistency, reliability, and security. IaC is not a cloud service offering, but rather a technique or practice that can be used with different cloud service models, such as IaaS or PaaS45.

IaaS stands for Infrastructure as a Service, which is a cloud service offering that provides customers with access to virtualized computing resources, such as servers, storage, networks, and operating systems. IaaS customers can rent or lease these resources from a cloud service provider, and have full control over their configuration and management. IaaS customers are responsible for installing, updating, and maintaining their own applications and middleware on top of the cloud infrastructure. IaaS can provide various benefits, such as flexibility, scalability, cost-effectiveness, and security. Some examples of IaaS providers are Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform .

PaaS stands for Platform as a Service, which is a cloud service offering that provides customers with access to a cloud-based platform that includes the infrastructure, operating system, middleware, and development tools needed to build, deploy, and run applications. PaaS customers can focus on developing and running their own applications, without worrying about the underlying cloud infrastructure or software. PaaS can provide various benefits, such as faster development, scalability, compatibility, and security. Some examples of PaaS providers are Heroku, AWS Elastic Beanstalk, and Google App Engine .

References := 1: IaaS vs. PaaS vs. SaaS | IBM 2: What is SaaS? Software as a service explained | InfoWorld 3: SaaS - Software as a Service | Oracle 4: What is Infrastructure as Code (IaC)? | Red Hat 5: Infrastructure as Code (IaC) | AWS : What is IaaS? Infrastructure as a service explained | InfoWorld : IaaS - Infrastructure as a Service | Oracle : Cloud Computing Services | Google Cloud : What is PaaS? Platform as a service explained | InfoWorld : PaaS - Platform as a Service | Oracle : Cloud Services - Deploy Cloud Apps & APIs | Microsoft Azure

Explanation

Message tracking helps resolve help desk calls by giving a detailed view of message flow. For example, if a message was not delivered as expected, you can determine if it was found to contain a virus or placed in a spam quarantine — or if it is located somewhere else in the mail stream.

The correct answer is to enable two-factor authentication through a RADIUS server, and then join the cluster via the SEG CLI. Two-factor authentication is a security feature that requires users to provide two forms of identification before accessing the SEG, such as a username and password, and a one-time code or token. This adds an extra layer of protection against unauthorized access and phishing attacks. The SEG supports two-factor authentication through external RADIUS servers, which can be configured on the System Administration > Users page in the web interface, or the userconfig command in the CLI. See User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General Deployment) (Section: Two-Factor Authentication) for more details.

To join a cluster, the SEG must communicate with other cluster members using either SSH or CCS (Cluster Communication Service). The cluster communication port and method can be configured on the Network > Cluster Communication page in the web interface, or the clusterconfig command in the CLI. See User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General Deployment) (Section: Cluster Communication) for more details.

If two-factor authentication is enabled on the SEG, it cannot join a cluster using the web interface, because the web interface does not support two-factor authentication for cluster operations. Therefore, the SEG must join the cluster using the CLI, and provide a pre-shared key that matches the cluster’s admin passphrase. The pre-shared key can be configured using the clusterconfig > prepjoin command in the CLI. See User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General Deployment) (Section: Creating and Joining a Cluster) for more details.

The other options are incorrect because they either use the wrong authentication server (TACACS+ instead of RADIUS), or the wrong communication method (GUI instead of CLI). References:

User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General Deployment)

Configure an Email Security Appliance (ESA) Cluster - Cisco

Microsegmentation is a technology that limits communication between nodes on the same network segment to individual applications by creating secure zones across cloud and data center environments. Microsegmentation isolates application workloads from one another and secures them individually with granular firewall policies based on a zero-trust security approach1. Microsegmentation can reduce the attack surface, prevent the lateral movement of threats, and strengthen regulatory compliance1.

Serverless infrastructure is a technology that allows developers to run code without provisioning or managing servers2. Serverless infrastructure does not limit communication between nodes on the same network segment to individual applications, but rather abstracts away the underlying infrastructure from the application logic.

SaaS deployment is a technology that delivers software applications over the internet as a service3. SaaS deployment does not limit communication between nodes on the same network segment to individual applications, but rather provides access to software applications from any device and location.

Machine-to-machine firewalling is a technology that controls the communication between machines or devices on a network. Machine-to-machine firewalling does not limit communication between nodes on the same network segment to individual applications, but rather applies rules to the traffic between machines or devices based on their IP addresses, ports, protocols, or other criteria.

References :=

What Is Micro-Segmentation? - Cisco

What is serverless?

What is SaaS?

[Machine-to-Machine Firewalling]

https://community.cisco.com/t5/endpoint-security/amp-endpoint-isolation/td-p/4086674#:~:text=Isolating%20an%20endpoint%20blocks%20all,your%20IP%20isolation%20allow%20list

AAA stands for Authentication, Authorization, and Accounting. It is a framework that provides security to network resources by controlling who can access them (authentication), what they can do (authorization), and what actions they perform (accounting). AAA can be implemented by using the local database of the device or by using an external server such as Cisco ISE (Identity Services Engine).

The question asks which configuration item makes it possible to have the AAA session on the network. A session is a logical connection between a user and a network device. A session can be initiated by various methods, such as console, telnet, SSH, PPP, etc. Each session can have different AAA policies applied to it, depending on the method list configured for that session.

A method list is a set of rules that define the authentication, authorization, and accounting methods to be used for a particular session. A method list can be named or default. A named method list is applied to a specific session by using the login, authorization, or accounting keyword followed by the name of the method list. A default method list is applied to all sessions that do not have a named method list configured.

The configuration item that makes it possible to have the AAA session on the network is the aaa authorization network default group ise command. This command configures a default method list for network authorization, which is the process of determining the network services and attributes that a user is allowed to access after authentication. The command specifies that the network authorization method is group, which means that the device will use an external server (such as Cisco ISE) to obtain the authorization information for the user. The command also specifies that the name of the server group is ise, which means that the device will use the server group defined by the aaa group server radius ise command.

The other options are incorrect because they do not configure a default method list for network authorization. Option A configures a named method list for login authentication, which is the process of verifying the identity of the user. Option B configures a default method list for enable authentication, which is the process of verifying the identity of the user who wants to enter the privileged EXEC mode. Option D configures a default method list for exec authorization, which is the process of determining the commands and features that a user can access in the EXEC mode. References:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Security Concepts, Lesson 1: Describing Information Security Concepts

Configure Basic AAA on an Access Server, General AAA Configuration, Authentication Configuration, Authorization Configuration

AAA (Authentication, Authorization and Accounting) - GeeksforGeeks, AAA implementation, ACS server

create an application control blocked applications list. This option allows you to specify a list of files that you want to prevent from running on the endpoints that have the AMP connector installed. The files are identified by their SHA-256 hashes, and you can upload them individually or in a batch. The files are not quarantined, but they are blocked from execution and reported as events in the AMP console1. This option is different from the simple custom detection list, which is used to detect and quarantine specific files that are considered malicious2. The advanced custom detection list is also used to detect and quarantine files, but it allows you to specify more criteria such as file size, file name, and file path3. The IP block and allow lists are used to control the network traffic to and from the endpoints, not the file execution4. References: 1: Configure Application Control on the AMP for Endpoints Portal 2: Configure a Simple Custom Detection List on the AMP for Endpoints Portal 3: [Configure an Advanced Custom Detection List on the AMP for Endpoints Portal] 4: [Configure IP Block and Allow Lists on the AMP for Endpoints Portal]

Time synchronization is one of the features that can be configured for managed devices in the device platform settings of the Firepower Management Center (FMC). Time synchronization ensures that the FMC and its managed devices have the same date and time settings, which is important for accurate event logging and reporting. The FMC can act as a Network Time Protocol (NTP) server for its managed devices, or it can use an external NTP server as a time source1. The FMC can also synchronize its time with the system clock of the device where it is installed2. References := 1: Firepower Management Center Device Configuration Guide, 7.1 - Platform Settings 2: Firepower Management Center Configuration Guide, Version 6.6 - Device Management Basics

Explanation

Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data. Zero Trust assumes that there is no traditional network edge; networks can be local, in the cloud, or a combination or hybrid with resources anywhere as well as workers in any location.

The Zero Trust model uses microsegmentation — a security technique that involves dividing perimeters into small zones to maintain separate access to every part of the network — to contain attacks.

 Cisco Duo is a cloud-based solution that provides multi-factor authentication (MFA) and device trust for secure access to applications and data. MFA adds an extra layer of security by requiring users to verify their identity with something they know (such as a password) and something they have (such as a phone or a hardware token). Device trust ensures that only trusted devices can access sensitive resources by checking the device health and compliance. Cisco Duo can help prevent social engineering attacks by making it harder for hackers to impersonate legitimate users or compromise their credentials. Cisco Duo can also integrate with other Cisco security products, such as Cisco AnyConnect, Cisco AMP for Endpoints, and Cisco Umbrella, to provide a comprehensive security solution. References :=

Cisco Duo Security

Cisco Duo: Multi-Factor Authentication

Cisco Duo: Device Trust

Cisco Security Core Technologies SCOR

Explanation

A buffer overflow (or buffer overrun) occurs when the volume of data exceeds the storage capacity of the memory buffer. As a result, the program attempting to write the data to the buffer overwrites adjacent memory locations.

Buffer overflow is a vulnerability in low level codes of C and C++. An attacker can cause the program to crash, make data corrupt, steal some private information or run his/her own code. It basically means to access any buffer outside of it’s alloted memory space. This happens quite frequently in the case of arrays.

Explanation

Explanation

You can also bring up the port by using these commands:

+ The “shutdown” interface configuration command followed by the “no shutdown” interface configuration

command restarts the disabled port.

+ The “errdisable recovery cause …” global configuration command enables the timer to automatically recover error-disabled state, and the “errdisable recovery interval interval” global configuration command specifies the time to recover error-disabled state.

In a man-in-the-middle (MITM) attack, the attacker inserts their machine between two hosts that are communicating with each other, and secretly relays and possibly alters the messages between them. The attacker can intercept, modify, or spoof the data, and the hosts are unaware that their communication is compromised. A MITM attack can target any communication channel that uses weak or no encryption, such as email, web, or wireless networks. A MITM attack can break the confidentiality, integrity, and authenticity of the communication, and can have various goals, such as eavesdropping, stealing credentials, impersonating a legitimate party, or redirecting traffic. A MITM attack can be prevented by using strong encryption protocols, such as TLS, IPSec, or SSH, and verifying the identity of the communication endpoints using certificates or other means. References: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Man-in-the-middle attack - Wikipedia, Man-in-the-Middle Attack: Types and Examples - Fortinet

 OWASP stands for Open Web Application Security Project, a non-profit organization that provides resources for web application security. OWASP has developed a number of standards, projects, events, and news on topics such as web application security, supply chain security, and cyber risk mitigation1. One of the most widely recognized OWASP resources is the OWASP Top 10, a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications, such as broken access control, cryptographic failures, injection, and insecure design2. The OWASP Top 10 is updated periodically based on data analysis and community feedback. The latest edition was released in 20213. By following the OWASP Top 10 and other OWASP resources, developers can build more secure applications that minimize these risks. References := 1: OWASP Foundation, the Open Source Foundation for Application Security 2: OWASP Top Ten | OWASP Foundation 3: OWASP Top 10:2021

Explanation

Explanation

ETHOS is the Cisco file grouping engine. It allows us to group families of files together so if we see variants of

a malware, we mark the ETHOS hash as malicious and whole families of malware are instantly detected.

The dot1x pae authenticator command enables 802.1x authentication on the port and configures the port as an authenticator. This command is required for the port to initiate the authentication process with the connected client. Without this command, the port will not send EAPOL packets to the client and will not receive the client credentials. Therefore, the client will not be authenticated and will remain in the unauthorized state. The other options are not mandatory for 802.1x authentication, although they can be used to modify the default behavior of the port. For example, authentication open allows the port to grant access to the client before authentication, dot1x reauthentication enables periodic reauthentication of the client, and cisp enable enables Cisco Identity Services Protocol (CISP) on the port. References: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 5: Secure Network Access, Lesson 5.1: Implementing 802.1X Authentication, Topic 5.1.2: Configuring 802.1X Authentication, Page 5-9.

 Multifactor authentication (MFA) is a solution that requires the user to provide two or more verification factors to gain access to a resource, such as an application, online account, or a VPN. MFA is more secure than the traditional use of a username and password because it reduces the risk of identity theft, phishing, and credential compromise. MFA can use different types of factors, such as something the user knows (e.g., password, PIN), something the user has (e.g., smartphone, token, smart card), or something the user is (e.g., fingerprint, facial recognition). MFA can be implemented using various methods, such as security defaults, Conditional Access policies, or third-party solutions123. References:

https://support.microsoft.com/en-us/topic/what-is-multifactor-authentication-e5e39437-121c-be60-d123-eda06bddf661

https://www.onelogin.com/learn/what-is-mfa

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/3850/sec-user-8021x-xe-3se-3850-book/config-ieee-802x-pba.html

Endpoint-based security is the solution for performing signature-based application control, which is a method of identifying and blocking malicious applications based on their signatures or hashes. Signature-based application control is one of the features of endpoint security solutions, such as Cisco AMP for Endpoints1, that protect endpoints from known and unknown threats. Endpoint security solutions can also perform other functions, such as behavioral analysis, sandboxing, machine learning, and threat hunting, to provide comprehensive protection, detection, and response on the endpoint2. The other options are not scenarios where endpoint-based security is the solution. Inspecting encrypted traffic requires a network-based security solution, such as Cisco SSL Appliance3, that can decrypt and inspect the traffic for malicious content. Device profiling and authorization requires a network access control solution, such as Cisco Identity Services Engine4, that can identify and authenticate devices and users and enforce policies based on their roles and contexts. Inspecting a password-protected archive requires a file analysis solution, such as Cisco Threat Grid5, that can extract and analyze the contents of the archive for malware and indicators of compromise. References :=

Cisco AMP for Endpoints

What is Endpoint Security? How Does It Work?

Cisco SSL Appliance

Cisco Identity Services Engine

Cisco Threat Grid

Explanation

Explanation

We should scan emails using AntiVirus signatures to make sure there are no viruses attached in emails.

Note: A virus signature is the fingerprint of a virus. It is a set of unique data, or bits of code, that allow it to be identified. Antivirus software uses a virus signature to find a virus in a computer file system, allowing to detect, quarantine, and remove the virus.

SenderBase is an email reputation service designed to help email administrators research senders, identify legitimate sources of email, and block spammers. When the Cisco ESA receives messages from known or highly reputable senders, it delivers them directly to the end user without any content scanning. However, when the Cisco ESA receives email messages from unknown or less reputable senders, it performs antispam and antivirus scanning.

Explanation

A botnet is a collection of internet-connected devices infected by malware that allow hackers to control them.

Cyber criminals use botnets to instigate botnet attacks, which include malicious activities such as credentials

leaks, unauthorized access, data theft and DDoS attacks.

Explanation

The HMAC-SHA-1-96 (also known as HMAC-SHA-1) encryption technique is used by IPSec to ensure that a message has not been altered. (-> Therefore answer “integrity” is the best choice). HMAC-SHA-1 uses the SHA-1 specified in FIPS-190-1, combined with HMAC (as per RFC 2104), and is described in RFC 2404.

Application visibility and control (AVC) is a solution that leverages multiple technologies to recognize, analyze, and control over 1000 applications, including voice and video, email, file sharing, gaming, peer-to-peer (P2P), and cloud-based applications1. One of the key components of AVC is application recognition, which uses stateful deep packet inspection (DPI) to identify applications within the network traffic flow, using L3 to L7 data2. DPI is a technique that examines the content of packets beyond the header information, and can classify applications based on their signatures, protocols, ports, or other attributes3. DPI enables AVC to monitor and control application performance, bandwidth usage, quality of service, and security policies4. References := 1: Cisco Application Visibility and Control (AVC) - Cisco 2: Cisco Application Visibility and Control User Guide - Technology Overview 3: What is application visibility and control? | Juniper Networks US 4: Application visibility and control - Secure Internet Access Enterprise

Explanation

What Cisco DNA Center enables you to do

Automate: Save time by using a single dashboard to manage and automate your network. Quickly scale your business with intuitive workflows and reusable templates. Configure and provision thousands of network devices across your enterprise in minutes, not hours.

Secure policy: Deploy group-based secure access and network segmentation based on business needs. With Cisco DNA Center, you apply policy to users and applications instead of to your network devices. Automation reduces manual operations and the costs associated with human errors, resulting in more uptime and improved security. Assurance then assesses the network and uses context to turn data into intelligence, making sure that changes in the network device policies achieve your intent.

Assurance: Monitor, identify, and react in real time to changing network and wireless conditions. Cisco DNA Center uses your network’s wired and wireless devices to create sensors everywhere, providing real-time feedback based on actual network conditions. The Cisco DNA Assurance engine correlates network sensor insights with streaming telemetry and compares this with the current context of these data sources. With a quick check of the health scores on the Cisco DNA Center dashboard, you can see where there is a performance issue and identify the most likely cause in minutes.

Extend ecosystem: With the new Cisco DNA Center platform, IT can now integrate Cisco® solutions and thirdparty technologies into a single network operation for streamlining IT workflows and increasing business value and innovation. Cisco DNA Center allows you to run the network with open interfaces with IT and business applications, integrates across IT operations and technology domains, and can manage heterogeneous network devices.

Active Directory (AD) is an ID store that requires that a shadow user be created on Cisco ISE for the admin login to work. A shadow user is a user account that is defined in the ISE internal database, but has the password set to external. This means that the user authentication is performed against an external identity source, such as AD, while the user authorization is based on the ISE admin group membership. A shadow user is useful when the admin wants to assign different roles or permissions to specific AD users, rather than using AD groups. To create a shadow user, the admin must check the External checkbox in the ISE admin user configuration, and make sure that the username matches the AD username. The shadow user must also be assigned to an ISE admin group that has the Type set to External123. References := 1: ISE Admin User Shadow AD Account Issue 2: ISE Admin user authentication from AD 3: Which ID store requires that a shadow user be created on Cisco ISE for the admin login to work?

 The destination command is required to complete the flow record and specify the IP address of the Stealthwatch collector that will receive the NetFlow data. The transport udp 2055 command is also needed, but it is part of the flow exporter configuration, not the flow record. The match ipv4 ttl and cache timeout active 60 commands are optional and can be used to customize the flow record, but they are not mandatory. The flow record defines the fields that are collected and exported for each flow, such as source and destination IP addresses, ports, protocols, etc. The flow exporter defines the destination, source, transport protocol, and port for sending the NetFlow data. The flow monitor binds the flow record and the flow exporter together and applies them to an interface. The following is an example of a complete NetFlow configuration for sending data to Stealthwatch:

flow exporter EXPORTER description Export NetFlow to Stealthwatch destination 1.1.1.1 export-protocol netflow-v9 source Vlan100 transport udp 2055 ! flow record RECORD description NetFlow record match datalink mac source address input match datalink mac destination address input match datalink vlan input match ipv4 ttl match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input collect interface output collect counter bytes long collect counter packets long collect timestamp absolute first collect timestamp absolute last ! flow monitor IPv4_NETFLOW record RECORD exporter EXPORTER cache timeout active 60 ! interface <> ip flow monitor IPv4_NETFLOW input ! References : Configuring and Troubleshooting NetFlow for Stealthwatch, Cisco NetFlow Configuration, Building a Better Monitoring Solution with Flexible Netflow

 On Cisco Firepower Management Center, a health policy is used to collect health modules alerts from managed devices. A health policy is a collection of tests, or health modules, that monitor the health status of the hardware and software in the system. You can apply a health policy to one or more appliances and configure the frequency and conditions for running the health modules and generating alerts. The health monitor on the Firepower Management Center tracks the health events based on the health policy settings and displays them on the Health Monitor page and the event views. You can also use external alerting mechanisms, such as SNMP traps or syslog messages, to notify you of health events. References :=

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Health_Monitoring.html

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/admin/710/management-center-admin-71/health-health.html

The Python script code snippet for the Cisco ASA REST API is used to add a global rule into policies. The script uses the urllib2 module to create an HTTP request with the URL, headers, and post_data. The post_data is a JSON object that contains the parameters for the global rule, such as the destination service, the source address, the permit value, and the position. The script also uses the base64 module to encode the username and password for authentication. The script then sends the request to the ASA REST API and prints the status code and the response. If the status code is 201, it means the operation was successful and the global rule was added. If the status code is not 201, it means there was an error and the script prints the JSON error message. The script also handles any HTTP errors and value errors that might occur during the execution. References:

Cisco ASA REST API Quick Start Guide

Configure Secure Access to Use REST API with Python

GitHub - timwukp/Cisco-ASA-REST-API

Network telemetry is a technology that allows network devices to push data to a collector in real time, rather than waiting for the collector to pull data from them. This improves the efficiency and accuracy of data collection, and enables the monitoring of a large number of network devices. SNMP, on the other hand, is a protocol that uses a pull model, where the collector requests data from the devices periodically. This can cause delays, gaps, and overhead in data collection, and limit the scalability of network monitoring. Therefore, network telemetry has an advantage over SNMP pulls in terms of scalability. References:

What Is Telemetry? Telemetry vs. SNMP - Huawei

Streaming telemetry challenges SNMP in large, complex networks

Network streaming telemetry: Monitoring in “real-time” - Paessler

An Overview of Network Telemetry - Geek Speak - Resources - THWACK

Stateful failover means that the connection state information is replicated from the active ASA to the standby ASA, so that in the event of a failover, the connections are preserved and do not need to be reestablished. Stateless failover means that the connection state information is not replicated, so that in the event of a failover, the connections are dropped and need to be reestablished by the end hosts. Stateful failover provides a smoother transition and less disruption to the network traffic, while stateless failover is simpler and less resource-intensive. References:

Failover for High Availability - Cisco

Failover Types / ASA Failover Addresses / Failover Requirements | Cisco …

A passphrase is a type of protection that encrypts RSA keys when they are exported and imported. A passphrase is a sequence of characters that the user enters to decrypt the key. The passphrase acts as a symmetric key that is used to encrypt and decrypt the RSA key with a symmetric algorithm, such as AES. This way, the RSA key is protected from unauthorized access or tampering when it is transferred or stored. A passphrase can also provide additional security by adding entropy to the RSA key generation process. A file, NGE, and nonexportable are not types of protection that encrypt RSA keys when they are exported and imported. A file is a container that stores the RSA key, but does not encrypt it. NGE stands for Next Generation Encryption, which is a set of cryptographic standards and algorithms that Cisco recommends, but it is not a specific type of protection. Nonexportable is a property that prevents the RSA key from being exported at all, but it does not encrypt it. References: RSA/Schannel Key BLOBs, Common Encryption Types, Protocols and Algorithms Explained, Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 (Module 5: Implementing Secure Communications with VPNs, Lesson 5.1: Implementing Site-to-Site VPNs, Topic 5.1.2: Implementing Site-to-Site VPNs with Pre-Shared Keys)

Explanation

Explanation

Cisco standard NetFlow version 5 defines a flow as a unidirectional sequence of packets that all share seven values which define a unique key for the flow:

+ Ingress interface (SNMP ifIndex)

+ Source IP address

+ Destination IP address

+ IP protocol

+ Source port for UDP or TCP, 0 for other protocols

+ Destination port for UDP or TCP, type and code for ICMP, or 0 for other protocols

+ IP Type of Service

Note: A flow is a unidirectional series of packets between a given source and destination.

Explanation

Explanation

Other features are dependent on SSL Decryption functionality, which requires the Cisco Umbrella root

certificate. Having the SSL Decryption feature improves:

Custom URL Blocking—Required to block the HTTPS version of a URL.

…

Umbrella’s Block Page and Block Page Bypass features present an SSL certificate to browsers that make

connections to HTTPS sites. This SSL certificate matches the requested site but will be signed by the Cisco Umbrella certificate authority (CA). If the CA is not trusted by your browser, an error page may be displayed.

Typical errors include “The security certificate presented by this website was not issued by a trusted certificate authority” (Internet Explorer), “The site’s security certificate is not trusted!” (Google Chrome) or “This

Connection is Untrusted” (Mozilla Firefox). Although the error page is expected, the message displayed can be confusing and you may wish to prevent it from appearing.

To avoid these error pages, install the Cisco Umbrella root certificate into your browser or the browsers of your users—if you’re a network admin.

Explanation

Explanation

You specify primary and secondary actions that the appliance will take when it detects a possible DLP violation

in an outgoing message. Different actions can be assigned for different violation types and severities.

Primary actions include:

– Deliver

– Drop

– Quarantine

Secondary actions include:

– Sending a copy to a policy quarantine if you choose to deliver the message. The copy is a perfect clone of the

original, including the Message ID. Quarantining a copy allows you to test the DLP system before deployment in

addition to providing another way to monitor DLP violations. When you release the copy from the quarantine,

the appliance delivers the copy to the recipient, who will have already received the original message.

– Encrypting messages. The appliance only encrypts the message body. It does not encrypt the message

headers.

– Altering the subject header of messages containing a DLP violation.

– Adding disclaimer text to messages.

– Sending messages to an alternate destination mailhost.

– Sending copies (bcc) of messages to other recipients. (For example, you could copy messages with critical

DLP violations to a compliance officer’s mailbox for examination.)

– Sending a DLP violation notification message to the sender or other contacts, such as a manager or DLP

compliance officer.

The main difference between an on-premise solution and a cloud-based solution is the distribution of responsibilities between the customer and the provider. With an on-premise solution, the customer has full control over the installation, configuration, maintenance, and security of the product, but also bears the costs and risks associated with it. With a cloud-based solution, the provider takes care of most of these aspects, while the customer pays a subscription fee and accesses the product over the internet. Therefore, when choosing between the two options, the customer must consider factors such as cost, scalability, performance, availability, security, compliance, and customization. For example, an on-premise solution may be preferred if the customer has strict security or regulatory requirements, or needs a high level of customization. A cloud-based solution may be preferred if the customer wants to reduce capital expenditure, or needs a flexible and scalable solution that can adapt to changing demands. References :=

Some possible references are:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Security Concepts, Lesson 1: Describing Information Security Concepts, Topic: Cloud Security

350-701 SCOR - Cisco, Exam Topics, 1.0 Security Concepts, 1.6 Compare and contrast the characteristics of a data center and the cloud

Cloud vs. On-Premise Software Comparison

The Cisco WSA can participate in the Cisco SensorBase Network, which is a threat management database that collects and shares data from Cisco security products. By participating in the SensorBase Network, the WSA can receive web reputation scores and URL categories for the requested web content, and also contribute data to improve the accuracy and efficacy of the service. The data that the WSA sends to the SensorBase Network servers includes information about request attributes and how the appliance handles requests. However, to protect the privacy and confidentiality of the users and the organization, the WSA does not send the complete URL, but only the summarized server-name information and the MD5-hashed path information. The MD5 hash is a one-way encryption algorithm that converts the path information into a fixed-length string that cannot be reversed. This way, the SensorBase Network can identify the URL without revealing the actual content or parameters of the request. The WSA also does not send any personal or confidential information such as usernames and passwords, or any information about HTTPS transactions, except for the IP address, web reputation score, and URL category of the server name in the certificate. The SensorBase Network Participation is enabled by default, but it can be disabled by the administrator if desired123. References: 3: Web Base Network Participation (WBNP) and Sender Base Network Participation (SBNP) - Cisco 2: User Guide for AsyncOS 15.0 for Cisco Secure Web Appliance - GD (General Deployment) - Introduction 1: User Guide for AsyncOS 12.0 for Cisco Web Security Appliances - GD (General Deployment) - Introduction

 The dot1x system-auth-control command enables 802.1X globally on a Cisco switch. This command allows the switch to act as an authenticator for 802.1X clients connected to the switch ports. The switch will then communicate with a RADIUS server to authenticate the clients and grant or deny access to the network. The other commands are not related to enabling 802.1X globally. The dot1x pae authenticator command enables 802.1X authentication on a specific interface. The authentication port-control aut command enables automatic port-based authentication on an interface. The aaa new-model command enables the AAA framework for authentication, authorization, and accounting. References :=

https://www.cisco.com/c/en/us/support/docs/smb/switches/cisco-small-business-300-series-managed-switches/smb5635-configure-global-802-1x-properties-on-a-switch-through-the-c.html

https://www.cisco.com/c/en/us/td/docs/routers/nfvis/switch_command/b-nfvis-switch-command-reference/802_1x_commands.html

Microsegmentation is a technique that divides a network into smaller segments or zones, each with its own security policies and controls. This helps to isolate and protect workloads and applications from each other, and limit the lateral movement of threats within the network. Microsegmentation can be applied to different platforms and environments, such as virtual machines, containers, cloud services, and endpoints. Microsegmentation can also improve the visibility and enforcement of network traffic, as well as the performance and scalability of security solutions.

In the context of applications or containers on the same node, microsegmentation can limit the communication between them by enforcing granular policies based on attributes such as identity, context, and behavior. For example, microsegmentation can restrict which ports, protocols, or services are allowed for each application or container, and block any unauthorized or malicious traffic. Microsegmentation can also prevent the exposure of sensitive data or resources to other applications or containers on the same node, or to external attackers who may compromise one of them.

Container orchestration, microservicing, and Software-Defined Access are not directly related to limiting the communication between applications or containers on the same node. Container orchestration is a process of managing the lifecycle, deployment, and scaling of containers across a cluster of nodes. Microservicing is an architectural style of developing applications as a collection of loosely coupled, independent, and modular services. Software-Defined Access is a network architecture that abstracts the network infrastructure from the network policies, and enables consistent and secure access to any application or service across any domain. References:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 5: Securing the Cloud, Lesson 5.1: Describing Cloud Computing and Deployment Models, Topic 5.1.4: Microsegmentation

What Is Micro-Segmentation? - Cisco

Communicating With Docker Containers on the Same Machine - Baeldung on Ops

 The Cisco Umbrella roaming client is a cloud-delivered security service for Cisco’s next-generation firewall that protects employees when they are off the VPN. No additional agents are required. Simply enable the Umbrella functionality in the Cisco AnyConnect client. One of the advantages of the Umbrella roaming client is that it provides visibility into IP-based threats by tunneling suspicious IP connections to the Umbrella cloud for inspection and blocking. This way, the roaming client can prevent malware, phishing, and command-and-control callbacks from reaching malicious domains and IPs, regardless of the port or protocol. The Umbrella roaming client also provides DNS-layer security when the VPN is off, and proactive blocking of emerging threats using real-time data analysis. References:

Cisco Umbrella Roaming

3 Benefits of Using Roaming Client with Cisco Umbrella

Secure remote workers with the Cisco Umbrella roaming client

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 (Module 5.1.1)

Explanation

Explanation

When supporting personal devices on a corporate network, you must protect network services and enterprise

data by authenticating and authorizing users (employees, contractors, and guests) and their devices. Cisco ISE

provides the tools you need to allow employees to securely use personal devices on a corporate network.

Guests can add their personal devices to the network by running the native supplicant provisioning (Network

Setup Assistant), or by adding their devices to the My Devices portal.

Because native supplicant profiles are not available for all devices, users can use the My Devices portal to add

these devices manually; or you can configure Bring Your Own Device (BYOD) rules to register these devices.

Endpoint security is the process of protecting devices like workstations, servers, and other devices from malicious threats and cyberattacks. Endpoint security enables businesses to secure endpoints that employees use for work purposes or servers that are either on a network or in the cloud. Endpoint security is important because every device that connects to the corporate network is a potential vulnerability, providing a possible entry point for cyber criminals. Therefore, every device an employee uses to connect to any business system or resource carries the risk of becoming the chosen route for hacking into an organization. These devices can be exploited by malware that could leak or steal sensitive data from the business12.

One of the benefits of endpoint security is that it allows the organization to detect and mitigate threats that the perimeter security devices do not detect. Perimeter security devices, such as firewalls and intrusion prevention systems, are designed to protect the network from external attacks. However, they may not be able to prevent or detect attacks that originate from within the network, such as insider threats, compromised devices, or lateral movement. Endpoint security solutions can provide visibility and control over the devices that connect to the network, and can monitor, analyze, and respond to suspicious or malicious activities on the endpoints. Endpoint security solutions can also leverage threat intelligence and advanced analytics to identify and block known and unknown threats, such as ransomware, zero-day exploits, and targeted attacks13. References := 1: What is Endpoint Security? How Does It Work? | Fortinet 2: Microsoft Defender for Endpoint | Microsoft Security 3: Endpoint Security - Check Point Software

CoA stands for Change of Authorization, which is a feature that allows a RADIUS server to adjust an active client session after it is authenticated. For example, CoA can be used to reauthenticate a client, terminate a client session, or change the VLAN or group policy of a client. CoA is supported by several RADIUS vendors, including Cisco ISE. CoA is defined in RFC 5176 and uses a pushed model, where the request originates from the RADIUS server and is sent to the network device that acts as a listener. CoA requests can have two possible response codes: CoA-ACK (acknowledgment) or CoA-NAK (non-acknowledgment). References :=

Some possible references are:

RADIUS Change of Authorization

Change of Authorization with RADIUS (CoA) on MR Access Points

Change of Authorization with RADIUS (CoA) on MS Switches

Technical Tip: Radius COA behavior

 DoS attacks are categorized as flood attacks or crash attacks. Flood attacks are the more common form of DoS attacks. They occur when the attacked system is overwhelmed by large amounts of traffic that the server is unable to handle. The system eventually stops. Some examples of flood attacks are ICMP flood, SYN flood, and UDP flood. Crash attacks are less frequent and they exploit flaws in the targeted system. The result is that the system crashes. Some examples of crash attacks are Ping of Death, Teardrop, and Land. References:

What is a denial-of-service (DoS) attack? | Cloudflare

What is a Denial of Service (DoS) attack? | Norton

What is a Denial of Service (DoS) Attack? | Cobalt

What is a denial of service attack (DoS) - Palo Alto Networks

Two-factor authentication is a security feature that requires users to provide two forms of information before gaining access to the Cisco ESA. The two factors are usually something the user knows, such as a password, and something the user has, such as a token or a code. Two-factor authentication can be enabled for specific user roles on the Cisco ESA through a RADIUS server, which is an external authentication server that supports the Remote Authentication Dial-In User Service (RADIUS) protocol. The RADIUS server can generate and validate the second factor for the users, such as a one-time password (OTP) or a time-based one-time password (TOTP). To enable two-factor authentication through a RADIUS server, the network engineer must configure the RADIUS server settings on the Cisco ESA, and assign the user roles that require two-factor authentication to use the RADIUS server as the authentication source. This can be done on the System Administration > Users page in the web interface, or by using the userconfig command in the CLI12.

A cluster is a group of Cisco ESAs that share the same configuration information and can be managed centrally. A cluster can provide increased reliability, flexibility, and scalability for the email security system. To join a cluster, a Cisco ESA must have the same AsyncOS version as the other cluster members, and must use a pre-shared key to authenticate with the cluster leader. The pre-shared key is a secret passphrase that is configured on the cluster leader and must be entered on the joining appliance. To join a cluster by using the Cisco ESA CLI, the network engineer must use the clusterconfig command, which allows the engineer to create a new cluster, join an existing cluster, or leave a cluster. The clusterconfig command also allows the engineer to specify the communication port and the hostname or IP address of the cluster leader. If the Cisco ESA has enabled two-factor authentication, the network engineer must also use the clusterconfig > prepjoin command to configure the pre-shared key before joining the cluster34.

Therefore, option A is the correct answer, and the other options are incorrect. Option B is incorrect because the cluster configuration options must be done via the CLI on the Cisco ESA and cannot be created or joined in the GUI. Option C is incorrect because the Cisco ESA does not support TACACS+ as an external authentication source, only LDAP and RADIUS. Option D is incorrect because it also uses TACACS+, which is not supported by the Cisco ESA. References :=

User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General Deployment) - Distributing Administrative Tasks

User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General Deployment) - External Authentication

Configure an Email Security Appliance (ESA) Cluster

User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General Deployment) - Centralized Management

Cisco CloudLock is a cloud-native cloud access security broker (CASB) that helps you move to the cloud safely. It protects your cloud users, data, and apps. CloudLock’s simple, open, and automated approach uses APIs to manage the risks in your cloud app ecosystem. With CloudLock you can more easily combat data breaches while meeting compliance regulations1.

Cisco CloudLock provides the following features that meet the requirements of visibility into data transfers as well as protection against data exfiltration:

User security: Cloudlock uses advanced machine learning algorithms to detect anomalies based on multiple factors. It also identifies activities outside allowed countries and spots actions that seem to take place at impossible speeds across distances1.

Data security: Cloudlock’s data loss prevention (DLP) technology continuously monitors cloud environments to detect and secure sensitive information. It provides countless out-of-the-box policies as well as highly tunable custom policies. It also supports inline and out-of-band data inspection and blocking capabilities to protect sensitive data12.

App security: The Cloudlock Apps Firewall discovers and controls cloud apps connected to your corporate environment. You can see a crowd-sourced Community Trust Rating for individual apps, and you can ban or allowlist them based on risk1.

The other solutions do not provide the same level of visibility and protection as Cisco CloudLock:

Cisco Umbrella is a cloud-delivered network security service that provides DNS-layer security, secure web gateway, cloud-delivered firewall, cloud access security broker, and threat intelligence3. It does not offer data security features such as DLP, data inspection, and data blocking4.

Cisco AppDynamics Cloud Monitoring is a cloud-native application performance management solution that helps you monitor, troubleshoot, and optimize your cloud applications. It does not offer user security, data security, or app security features as a CASB solution.

Cisco Stealthwatch is a network traffic analysis solution that provides visibility and threat detection across your network, endpoints, and cloud. It does not offer data security features such as DLP, data inspection, and data blocking.

 3: Cisco Umbrella Packages - Cisco Umbrella 1: Cisco Cloudlock - Cisco 2: Cisco Cloudlock Cisco Cloudlock: Secure Cloud Data 4: Easy to Deploy & Simple to Manage CASB Solution - Cisco Umbrella : Cisco AppDynamics Cloud Monitoring : Cisco Stealthwatch - Cisco

Cisco Defense Orchestrator (CDO) is a cloud-based management solution that allows you to manage security policies and device configurations with ease across multiple Cisco and cloud-native security platforms. CDO centrally manages elements of policy and configuration across Cisco ASA, Cisco Firepower, Cisco Meraki, and AWS1. CDO also provides visibility, automation, and orchestration capabilities to simplify and unify security operations2. The other options are not cloud security software that can centrally manage policies on multiple platforms. Cisco Configuration Professional is a device management tool for Cisco routers and switches. Cisco Secureworks is a security services provider that offers threat intelligence and incident response. Cisco DNAC is a network controller that automates and assures services across campus, branch, and edge networks. References :=

Cisco Defense Orchestrator Data Sheet

Cisco Defense Orchestrator

WannaCry ransomware is a type of malware that encrypts the files on the infected devices and demands a ransom for their decryption. It exploits a vulnerability in the Windows SMB protocol that allows remote code execution. To prevent WannaCry ransomware from spreading to all clients, IT should take the following precautions:

Ensure that noncompliant endpoints are segmented off to contain any potential damage. This means that any device that is not patched, managed, or compliant with the security policies should be isolated from the rest of the network and given limited access to resources. This can be done using Cisco Identity Services Engine (ISE) and Cisco TrustSec, which can enforce dynamic segmentation based on the device’s identity, posture, and context. This way, IT can prevent the ransomware from infecting other devices and reduce the impact of the attack12

Perform a posture check to allow only network access to those Windows devices that are already patched. This means that IT should verify that the devices have installed the latest security updates from Microsoft that fix the SMB vulnerability. This can be done using Cisco AnyConnect Secure Mobility Client, which offers a VPN Posture/HostScan Module and an ISE Posture Module. Both modules can assess the endpoint’s compliance for things like operating system, patches, antivirus, antispyware, and firewall software. If the device is not patched, it can be denied access to the network or redirected to a remediation portal13

 1: Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.0 - Configure Posture 2: Can We Trust Your Device? Checking Security Posture - Cisco 3: Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.10 - Configure Posture

Explanation

Cloud computing can be broken into the following three basic models:

+ Infrastructure as a Service (IaaS): IaaS describes a cloud solution where you are renting infrastructure. You purchase virtual power to execute your software as needed. This is much like running a virtual server on your own equipment, except you are now running a virtual server on a virtual disk. This model is similar to a utility company model because you pay for what you use.

+ Platform as a Service (PaaS): PaaS provides everything except applications. Services provided by this

model include all phases of the system development life cycle (SDLC) and can use application programming interfaces (APIs), website portals, or gateway software. These solutions tend to be proprietary, which can cause problems if the customer moves away from the provider’s platform.

+ Software as a Service (SaaS): SaaS is designed to provide a complete packaged solution. The software is rented out to the user. The service is usually provided through some type of front end or web portal. While the end user is free to use the service from anywhere, the company pays a peruse fee.

 Phishing is a type of cyberattack that uses fraudulent emails or other communications to trick users into providing sensitive information or installing malware on their devices1. Phishing can lead to identity theft, data breaches, ransomware infections, and financial losses. To protect employees from phishing attacks, a company can use various solutions that can detect, block, and remediate phishing threats. Two of these solutions are:

Cisco Umbrella: Cisco Umbrella is a cloud-based security platform that provides the first line of defense against threats on the internet, including phishing2. Cisco Umbrella uses DNS-layer security, which can identify and block malicious domains, IPs, and URLs before they can reach the user’s device2. Cisco Umbrella also integrates with Cisco Email Security to provide additional protection against phishing emails that may bypass the email gateway3.

Cisco Email Security Appliance (ESA): Cisco ESA is an email gateway that protects inbound and outbound email traffic from spam, malware, phishing, and other threats4. Cisco ESA uses multiple layers of defense, such as reputation filtering, antivirus scanning, outbreak filters, and content filtering, to prevent malicious emails from reaching the user’s inbox4. Cisco ESA also leverages Cisco Advanced Phishing Protection, which uses machine learning and threat intelligence to identify and block sophisticated phishing attacks that use identity deception techniques5.

References := 1: What Is Phishing? Examples and Phishing Quiz - Cisco 2: Cisco Umbrella - Cloud Delivered Enterprise Security 3: Cisco Umbrella and Cisco Email Security Integration 4: Cisco Secure Email - Cisco 5: Cisco Advanced Phishing Protection - Cisco Video Portal

Cisco AMP for Endpoints is a next generation endpoint security solution that provides prevention, detection, and response capabilities. One of its functions is to automate threat responses of an infected host by isolating it from the network, blocking malicious files, and removing them from all endpoints. This reduces the time and effort required to contain and remediate a threat, and prevents further damage or data loss. According to the source book, Cisco AMP for Endpoints can perform the following automated responses1:

Endpoint Isolation: This feature allows you to isolate an endpoint from the network if it is compromised or infected. This prevents the endpoint from communicating with other devices or servers, and stops the spread of malware or exfiltration of data. You can isolate an endpoint manually from the console, or automatically based on a policy or a detection. You can also restore the network connectivity of an isolated endpoint when it is safe to do so.

File Blocking: This feature allows you to block a file from executing on any endpoint if it is deemed malicious or suspicious. You can block a file manually from the console, or automatically based on a policy or a detection. You can also unblock a file if it is a false positive or no longer a threat.

File Removal: This feature allows you to remove a file from any endpoint if it is malicious or unwanted. You can remove a file manually from the console, or automatically based on a policy or a detection. You can also restore a file from quarantine if it is a false positive or needed for analysis.

 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 6: Endpoint Protection and Detection, Lesson 6.2: Cisco AMP for Endpoints, Topic 6.2.3: Automated Responses.

 TAXII, short for Trusted Automated eXchange of Intelligence Information, is a protocol that defines how cyber threat information can be shared via services and message exchanges. It is designed specifically to support STIX information, which is a standardized language for expressing and exchanging cyber threat information. TAXII enables organizations to share STIX information by defining an API that aligns with common sharing models, such as hub and spoke, source/subscriber, and peer-to-peer. TAXII also defines four services that allow users to discover, manage, receive, and request STIX information. Therefore, TAXII supports STIX information and determines how threat intelligence information is relayed. TAXII does not determine the “what” of threat intelligence, as that is the role of STIX. TAXII does not allow users to describe threat motivations and abilities, as that is also part of STIX. TAXII does not exchange trusted anomaly intelligence information, as that is a specific type of threat intelligence that may or may not be represented in STIX. References:

What are STIX/TAXII Standards I Resources I Anomali

Cyber Threat Intelligence Technical Committee - GitHub Pages

The Southbound API is used to communicate between Controllers and network devices.

Explanation

Explanation

Cisco Defense Orchestrator is a cloud-based management solution that allows you to manage security policies

and device configurations with ease across multiple Cisco and cloud-native security platforms.

Cisco Defense Orchestrator features:

….

Management of hybrid environments: Managing a mix of firewalls running the ASA, FTD, and Meraki

MX software is now easy, with the ability to share policy elements across platforms.

Explanation

The version 9 export format uses templates to provide access to observations of IP packet flows in a flexible and extensible manner. A template defines a collection of fields, with corresponding descriptions of structure and semantics.

Explanation

The ASAv on AWS supports the following features:

+ Support for Amazon EC2 C5 instances, the next generation of the Amazon EC2 Compute Optimized instance

family.

+ Deployment in the Virtual Private Cloud (VPC)

+ Enhanced networking (SR-IOV) where available

+ Deployment from Amazon Marketplace

+ Maximum of four vCPUs per instance

+ User deployment of L3 networks

+ Routed mode (default)

Note: The Cisco Adaptive Security Virtual Appliance (ASAv) runs the same software as physical Cisco ASAs to deliver proven security functionality in a virtual form factor. The ASAv can be deployed in the public AWS cloud.

It can then be configured to protect virtual and physical data center workloads that expand, contract, or shift their location over time. Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/asav/quick-start-book/asav-96 qsg/asavaws.html

Explanation

The following are restrictions for Flexible NetFlow:

+ Traditional NetFlow (TNF) accounting is not supported.

+ Flexible NetFlow v5 export format is not supported, only NetFlow v9 export format is supported.

+ Both ingress and egress NetFlow accounting is supported.

+ Microflow policing feature shares the NetFlow hardware resource with FNF.

+ Only one flow monitor per interface and per direction is supported.

Cisco Advanced Malware Protection (AMP) for Web Security is a solution that provides protection against web-related threats before, during, and after an attack. One of the functions that AMP for Web Security includes is detailed analytics of the unknown file’s behavior. This means that AMP can continuously monitor and analyze the activity of files that cross the web gateway, even after they have been initially scanned and allowed. This allows AMP to detect and block any malicious behavior that may emerge later, and provide retrospective security alerts and remediation actions12. References: 1: Cisco Advanced Malware Protection for Web Security 2: Cisco Adds Advanced Malware Protection to Web and Email Security Appliances and Cloud Services

Workloaded security models are ways of protecting applications, services, and capabilities that run on a cloud resource. Virtual machines, databases, containers, and applications are all considered cloud workloads. There are different types of cloud deployment models, such as public, private, hybrid, and multicloud. Depending on the deployment model, the cloud workload security can vary in terms of responsibility, visibility, and control.

Infrastructure as a service (IaaS) is a cloud deployment model where the cloud provider offers the basic computing infrastructure, such as servers, storage, and networking, as a service. The customer is responsible for installing, configuring, and managing the operating systems, applications, and security of the workloads that run on the cloud infrastructure. IaaS provides the customer with more flexibility and control over the workload security, but also more complexity and overhead.

On-premises is a deployment model where the customer owns and operates the entire IT infrastructure, including the hardware, software, and security. The customer has full responsibility and control over the workload security, but also the highest cost and maintenance. On-premises deployment can offer more security and compliance than cloud deployment, depending on the customer’s security posture and practices.

https://www.cisco.com/site/us/en/products/security/secure-workload/index.html

https://www.checkpoint.com/cyber-hub/cloud-security/what-is-cloud-workload-security/

To migrate a Cisco WSA virtual appliance from one physical host to another physical host by using VMware vMotion, both hosts must have access to the same defined network. This is because vMotion preserves the network identity and connections of the virtual machine, and requires that the source and destination hosts have compatible CPUs and shared storage1. The hosts do not need to run the same or different versions of Cisco AsyncOS, as long as they meet the minimum requirements for the virtual appliance2. The hosts do not need to use a different datastore than the virtual appliance, as vMotion can migrate virtual machines across datastores as well3. References: 1: VMware vMotion: Live Migration of Virtual Machines and Storage 2: Cisco Secure Web Appliance Virtual - Cisco 3: Migrating to Virtual SMA from Physical - Cisco Community

3DES is a symmetric-key block cipher that applies the DES algorithm three times to each data block. It was developed to improve the security of DES, which has a small key size and is vulnerable to brute-force attacks. 3DES encrypts traffic by using three different keys, each 56 bits long, to perform three rounds of encryption on the plaintext. The encryption process can be described as follows:

Encrypt the plaintext with the first key (K1).

Decrypt the result with the second key (K2).

Encrypt the result again with the third key (K3).

The final ciphertext is the output of the third encryption. The decryption process is the reverse of the encryption process, using the same keys in reverse order:

Decrypt the ciphertext with the third key (K3).

Encrypt the result with the second key (K2).

Decrypt the result again with the first key (K1).

The final plaintext is the output of the third decryption. 3DES is more secure than DES because it uses a longer effective key length of 168 bits (56 x 3), which makes brute-force attacks more difficult. However, 3DES is also slower than DES because it requires three times more computations. Moreover, 3DES has some weaknesses, such as the meet-in-the-middle attack, which can reduce the effective key length to 112 bits. Therefore, 3DES is not recommended for new applications and has been deprecated by NIST since 201712

References := 1: NIST Special Publication 800-67 Revision 2 Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher 2: What is 3DES encryption and how does DES work? | Comparitech

Explanation

Device sensor is a feature of access devices. It allows to collect information about connected endpoints. Mostly,

information collected by Device Sensor can come from the following protocols:

+ Cisco Discovery Protocol (CDP)

+ Link Layer Discovery Protocol (LLDP)

+ Dynamic Host Configuration Protocol (DHCP)

Explanation

CoA Messages are sent on two different udp ports depending on the platform. Cisco standardizes on UDP port

1700, while the actual RFC calls out using UDP port 3799.

Posture is a service in Cisco ISE that checks the compliance of endpoints with corporate security policies before allowing them to connect to the network. Posture policies define the requirements that endpoints must meet to be compliant, such as having antivirus software installed and updated, or having a specific registry key value. If an endpoint is compliant, Cisco ISE can apply a Change of Authorization (CoA) to grant it access to the network resources. CoA is a mechanism that allows Cisco ISE to dynamically change the authorization attributes of an existing session, such as VLAN, dACL, or SGT, without requiring the user to reauthenticate. CoA can be triggered by various events, such as posture assessment results, profiling changes, or manual actions by the administrator. CoA can also be used to quarantine or disconnect non-compliant endpoints. Therefore, ensuring that an endpoint is compliant with a posture policy configured in Cisco ISE provides the benefit of allowing CoA to be applied if the endpoint status is compliant. References :=

Cisco Identity Services Engine Administrator Guide, Release 2.2 - Configure Client Posture Policies

Cisco Identity Services Engine Administrator Guide, Release 2.2 - Change of Authorization

Explanation

Explanation

How To Troubleshoot ISE Failed Authentications & Authorizations

Check the ISE Live Logs

Login to the primary ISE Policy Administration Node (PAN).

Go to Operations > RADIUS > Live Logs

(Optional) If the event is not present in the RADIUS Live Logs, go to Operations > Reports > Reports >

Endpoints and Users > RADIUS Authentications

Check for Any Failed Authentication Attempts in the Log

Cisco Tetration, which is a hybrid-cloud workload protection platform that uses machine learning, behavior analysis, and algorithmic approaches to secure compute instances in both the on-premises data center and the public cloud1. Cisco Tetration can process behavior baselines, monitor for deviations, and review for malicious processes in data center traffic and servers while performing software vulnerability detection. It can also provide zero-trust microsegmentation, proactive identification of security incidents, and reduction of the attack surface1. The other options are not correct because they do not offer the same level of workload protection as Cisco Tetration. Cisco ISE is an identity and access control platform that provides secure network access, endpoint compliance, and device administration2. Cisco AMP for Network is a network-based malware prevention solution that detects and blocks malicious files and URLs before they reach the endpoints3. Cisco AnyConnect is a VPN client that provides secure remote access, endpoint visibility, and posture enforcement4. References:

1: Cisco Secure Workload Platform Data Sheet

2: Cisco Identity Services Engine Data Sheet

3: Cisco Advanced Malware Protection for Networks Data Sheet

4: Cisco AnyConnect Secure Mobility Client Data Sheet

Explanation

Explanation

Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more

verification factors to gain access to a resource. MFA requires means of verification that unauthorized users

won’t have.

Proper multi-factor authentication uses factors from at least two different categories.

MFA methods:

+ Knowledge – usually a password – is the most commonly used tool in MFA solutions. However, despite their

simplicity, passwords have become a security problem and slow down productivity.

+ Physical factors – also called possession factors–use tokens, such as a USB dongle or a portable device,

that generate a temporary QR (quick response) code. Mobile phones are commonly used, as they have the

advantage of being readily available in most situations.

+ Inherent – This category includes biometrics like fingerprint, face, and retina scans. As technology advances,

it may also include voice ID or other behavioral inputs like keystroke metrics. Because inherent factors are

reliably unique, always present, and secure, this category shows promise.

+ Location-based and time-based – Authentication systems can use GPS coordinates, network parameters,

and metadata for the network in use, and device recognition for MFA. Adaptive authentication combines these

data points with historical or contextual user data.

A time factor in conjunction with a location factor could detect an attacker attempting to authenticate in Europe

when the user was last authenticated in California an hour prior, for example.

+ Time-based one-time password (TOTP) – This is generally used in 2FA but could apply to any MFA

method where a second step is introduced dynamically at login upon completing a first step. The wait for a

second step–in which temporary passcodes are sent by SMS or email–is usually brief, and the process is easy

to use for a wide range of users and devices. This method is currently widely used.

+ Social media – In this case a user grants permission for a website to use their social media username and

password for login. This provide an easy login process, and one generally available to all users.

+ Risk-based authentication – Sometimes called adaptive multi-factor authentication, this method combines

adaptive authentication and algorithms that calculate risk and observe the context of specific login requests.

The goal of this method is to reduce redundant logins and provide a more user-friendly workflow.

+ Push-based 2FA – Push-based 2FA improves on SMS and TOTP 2FA by adding additional layers of security

while improving ease of use. It confirms a user’s identity with multiple factors of authentication that other

methods cannot. Because push-based 2FA sends notifications through data networks like cellular or Wi-Fi,

users must have data access on their mobile devices to use the 2FA functionality.

The IP and Domain Reputation Center is a service provided by Talos, Cisco’s Security Intelligence and Research Group, that tracks the reputation of IP addresses and domains for email and web traffic. The IP and Domain Reputation Center collects and analyzes data from millions of deployed web, email, firewall and IPS appliances, as well as open-source data sets, endpoint intelligence, and network intrusions. The IP and Domain Reputation Center transforms this data into actionable threat intelligence and tools to improve security posture. The IP and Domain Reputation Center allows users to look up websites, URLs and IP addresses and the information Talos has about them, such as their reputation score, category, volume, and threat level. The IP and Domain Reputation Center also provides threat data overviews, such as the top email and spam senders by country, and the standard categories used to classify website content and attack types123. References := 1: Reputation Center - A Real Time Threat Detection Service || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence 2: IP & Domain Reputation Center - Talos Intelligence 3: Talos Reputation Center overview | Talos Support Documents

 The Atomic ARP engine is a signature engine that defines basic Layer 2 ARP signatures and provides more advanced detection of the ARP spoof tools dsniff and ettercap. ARP spoofing is an attack that involves sending spoofed ARP messages over a local area network to associate the attacker’s MAC address with the IP address of the target. The Atomic ARP engine inspects the Layer 2 ARP protocol and compares the ARP requests and replies with the MAC address table to detect any anomalies or inconsistencies. The Atomic ARP engine can also detect gratuitous ARP messages, which are unsolicited ARP replies that can be used to poison the ARP cache of other hosts. The Atomic ARP engine is different from other IPS engines because most engines are based on Layer 3 IP protocol. References := 

https://www.cisco.com/c/en/us/td/docs/security/ips/6-1/configuration/guide/cli/cliguide/cli_signature_engines.html

https://security.stackexchange.com/questions/71023/can-suricata-ips-detect-and-prevent-arp-poisoning-attacks

https://www.cisco.com/c/dam/en_us/about/doing_business/legal/service_descriptions/docs/Cisco_Secure_Managed_Endpoint.pdf

Defanging is the process of modifying a URL in a message to prevent it from being clickable. This can help protect users from malicious links that have a low URL reputation score. Defanging is one of the actions that can be configured in the Incoming Content Filter on the Cisco ESA. The other actions are Quarantine, FilterAction, and ScreenAction. Quarantine sends the message to a quarantine area for further inspection. FilterAction applies a predefined action such as drop, bounce, or deliver. ScreenAction displays a warning message to the user before allowing them to access the URL. Defanging is the only action that disables the links in the message without affecting the delivery or visibility of the message12. References: 1: URL Filtering on the Cisco IronPort ESA – Mikail’s Blog 2: Configure URL Filtering for Secure Email Gateway and Cloud Gateway - Cisco

Explanation

You can configure your ASA FirePOWER module using one of the following deployment models:

You can configure your ASA FirePOWER module in either an inline or a monitor-only (inline tap or

passive) deployment.

Northbound APIs (SDN northbound APIs) are typically RESTful APIs that are used to communicate between the SDN controller and the services and applications running over the network. Such northbound APIs can be used for the orchestration and automation of the network components to align with the needs of different applications via SDN network programmability1. The management solution is an example of an application that can use the northbound APIs to interact with the SDN controller and configure, monitor, and troubleshoot the network devices and services2. Therefore, the main function of northbound APIs in the SDN architecture is to enable communication between the SDN controller and the management solution. References: 1: What are SDN Northbound APIs (and SDN Rest APIs)? - SDxCentral 2: Software-Defined Networking Security and Network Programmability

To block certain URLs based on the “Chat and Instant Messaging” category, the network administrator should select a reputation score of 5. A reputation score is a numerical value that indicates the likelihood of a URL being malicious or unwanted. The lower the score, the higher the risk. A score of 5 means that the URL is suspicious or potentially harmful, and should be blocked or inspected12. A score of 3 means that the URL is unknown or unverified, and may be allowed or blocked depending on the policy settings12. A score of 10 means that the URL is trustworthy or benign, and should be allowed12. A score of 1 means that the URL is malicious or high-risk, and should be blocked12. Therefore, a score of 5 is the most appropriate to block the “Chat and Instant Messaging” category, which may contain unwanted or problematic websites. References:

Reputation score, section “Reputation score”.

Web content filtering, section “What is web content filtering?”.

Cisco FMC is assigned the role of a client in the pxGrid ecosystem. A client is a partner that subscribes to the contextual data published by other partners or by ISE. A client can also publish its own data, but it does not have to. A client can use the contextual data to enforce security policies, perform threat analysis, or provide visibility. Cisco FMC can subscribe to various topics from ISE or other partners, such as user identity, session directory, endpoint profile, SGT mapping, threat events, or vulnerability assessment. Cisco FMC can also publish its own threat events to ISE or other partners. Cisco FMC can use the contextual data to apply access control rules, correlation policies, or network discovery policies based on the attributes of the users, endpoints, or sessions12.

The other options are not correct because they are not the roles assigned for Cisco FMC. A server is a partner that publishes contextual data to other partners or to ISE. A server can also subscribe to data, but it does not have to. A server can provide valuable information about the network, such as device inventory, configuration, or compliance. An example of a server is Cisco Prime Infrastructure3. A controller is the core component of the pxGrid ecosystem that manages the communication, authentication, and authorization between the partners. The controller is always ISE, and it is responsible for creating and maintaining the pxGrid domain, distributing the certificates, and facilitating the data exchange4. A publisher is a partner that publishes contextual data to other partners or to ISE, but does not subscribe to any data. A publisher can provide useful information about the network, such as security events, alerts, or incidents. An example of a publisher is Cisco Stealthwatch. References :=

Integrate FMC with ISE using pxGrid | Blue Network Security

How To: Integrate Firepower Management Center (FMC) 6 … - Cisco Community

Cisco Prime Infrastructure and ISE pxGrid Integration - Cisco

pxGrid Overview - Cisco

[Cisco Stealthwatch and ISE pxGrid Integration - Cisco]

Explanation

Explanation

NetFlow is a network protocol developed by Cisco for the collection and monitoring of network traffic flow data

generated by NetFlow-enabled routers and switches. The flows do not contain actual packet data, but rather the

metadata for communications. It is a standard form of session data that details who, what, when, and where of

network traffic -> Answer A is not correct.

The target in a phishing attack is the endpoint, which is the device or system that the user interacts with, such as a computer, smartphone, or tablet. Phishing attacks aim to steal or damage sensitive data by deceiving people into revealing personal information like passwords and credit card numbers, or clicking on malicious links or attachments that can install malware on the endpoint. Phishing attacks can be delivered through various channels, such as email, phone, or text message, but they all rely on social engineering techniques to manipulate the user’s trust and curiosity. By compromising the endpoint, attackers can gain access to the user’s accounts, files, network, or other resources. Therefore, endpoint security is essential to prevent phishing attacks and protect the user’s data and identity. References:

What Is a Phishing Attack? Definition and Types - Cisco

8 types of phishing attacks and how to identify them

What Is Phishing? | Microsoft Security

Phishing | What Is Phishing?

L2TP and GRE are both tunneling protocols that can be used to create site-to-site VPNs. However, they have some differences in how they encapsulate and transport data. L2TP is a layer 2 protocol that uses IP packet encapsulation to carry PPP frames over an IP network. L2TP does not add any additional header to the IP packet, but relies on IPsec to provide encryption and authentication. GRE is a layer 3 protocol that adds its own header to the IP packet, which contains information such as the protocol type, checksum, and key. GRE can be used to carry any type of payload over an IP network, not just PPP frames. GRE also requires IPsec to provide security for the tunnel. Therefore, the correct answer is C, because GRE over IPsec adds its own header, and L2TP does not1234 References := 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 - Module 5: Secure Connectivity 2: What is the difference between L2TP vs GRE 3: GRE over IPSec vs L2TP over IPSEC 4: difference between L2TP/GRE/MPLS

 Cisco Duo is a multi-factor authentication (MFA) solution that verifies the identity of all users with Duo’s easy, one-tap-approval MFA app. It also provides device visibility and adaptive policies to ensure that only trusted devices can access corporate applications and networks. Some of the benefits of using Cisco Duo as an MFA solution are:

It provides a simple and streamlined login experience for multiple applications and users. Users can access all their applications from a single dashboard, and authenticate with a simple push notification or other convenient methods. Duo also supports single sign-on (SSO) for integrated applications, reducing the need for multiple passwords and logins12.

It offers native integration that helps secure applications across multiple cloud platforms or on-premises environments. Duo can be easily integrated with most major apps and custom applications, enabling a secure access solution that can be implemented with minimal IT involvement. Duo also supports various protocols and standards, such as SAML, RADIUS, LDAP, and WebAuthn, to enable seamless integration with different environments13.

 1: Multi-Factor Authentication (MFA) | Duo Security 2: Multi-Factor Authentication (MFA) | Duo Security - Cisco 3: What Is Duo? Two-Factor Authentication From Cisco - Cisco

EPP and EDR are two types of endpoint security solutions that have different goals and capabilities. EPP stands for endpoint protection platform, which is a suite of technologies that work together to prevent, detect, and remediate security threats on endpoints. EPP solutions use techniques such as antivirus, firewall, application control, and patch management to block known and unknown malware and malicious activity. EDR stands for endpoint detection and response, which is a solution that provides real-time visibility into endpoint activities and enables security teams to detect, investigate, and respond to advanced threats that may have bypassed EPP defenses. EDR solutions use techniques such as behavioral analysis, threat intelligence, and incident response to flag offending files at the first sign of malicious behavior, contain and isolate compromised endpoints, and remediate the damage caused by the attack. Therefore, the correct answer is D, as having an EDR solution gives an engineer the capability to flag offending files at the first sign of malicious behavior. The other options are incorrect because:

A is false, as EPP focuses primarily on threats that have evaded front-line defenses that entered the environment, not EDR.

B is false, as having an EPP solution allows an engineer to detect, investigate, and remediate modern threats, not EDR.

C is false, as EDR focuses on detection and response at the endpoint level, not prevention at the perimeter. References:

EPP vs. EDR: Why You Need Both - CrowdStrike

EDR vs EPP: What is the Difference? - Exabeam

EPP vs. EDR: What Matters More, Prevention or Response? - Cynet

two-factor authentication. Two-factor authentication (2FA) is a security measure that requires users to provide two pieces of evidence to verify their identity before accessing SaaS-based applications1. These pieces of evidence can be something the user knows (such as a password or a PIN), something the user has (such as a smartphone or a token), or something the user is (such as a fingerprint or a face scan)1. 2FA enhances the security of SaaS-based applications by making it harder for attackers to compromise login credentials and gain unauthorized access to sensitive data and resources2. The other options are not correct because they are not sufficient to secure SaaS-based applications. Modular policy framework (MPF) is a feature of Cisco ASA that allows administrators to create and apply security policies to traffic flows3. However, MPF alone cannot protect SaaS-based applications from web-based threats or data breaches. Application security gateway (ASG) is a device that provides firewall, intrusion prevention, and content filtering services for web applications4. However, ASG cannot prevent credential theft or account takeover attacks that target SaaS-based applications. End-to-end encryption (E2EE) is a method of encrypting data in transit and at rest, so that only the sender and the receiver can decrypt it. However, E2EE cannot prevent unauthorized access to SaaS-based applications if the encryption keys are compromised or stolen. References:

1: What is Two-Factor Authentication (2FA)?

2: How to Secure Your SaaS Applications

3: Modular Policy Framework Overview

4: What is an Application Security Gateway?

: What is End-to-End Encryption?

The RAT (Recipient Access Table) is the list that contains the allowed recipient addresses on the Cisco ESA. The RAT controls whether the ESA accepts or rejects messages to a recipient address based on the sender group and the mail policy. The RAT can be configured to allow, relay, or reject messages to specific recipients or domains. The RAT can also be used to apply different message filters or content filters to different recipient groups12. References: 1: Implementing and Operating Cisco Security Core Technologies (SCOR) course, Module 2: Network Security, Lesson 3: Deploying Cisco Email Security Appliance, Topic: Configuring Mail Policies2: Cisco Email Security Appliance User Guide, Release 13.5 - Configuring Mail Policies [Cisco Secure Email Gateway] - Cisco.

 The application blocking list is an outbreak control method that allows the administrator to block certain files from executing on the endpoints based on their SHA values. This can prevent malware from running on the endpoints and causing damage. The other options are not outbreak control methods, but rather different features of AMP for endpoints. Device flow correlation is a network analysis feature that monitors connections and detects malicious activity. Simple detections and advanced custom detections are custom rules that can be created by the administrator to detect and block files based on signatures or other criteria. References:

Configure Windows Policy in AMP for Endpoints - Cisco

Prevent, Detect and Respond with Cisco AMP for Endpoints

Trusted Automated eXchange of Intelligence Information (TAXII) is a collection of services and message exchanges that enable the sharing of cyber threat intelligence across product, service, and organizational boundaries. It is designed to support the exchange of CTI represented in STIX, but is not limited to STIX. TAXII defines an API that aligns with common sharing models, such as hub-and-spoke, peer-to-peer, and subscribe/publish. TAXII is not a public collection of threat intelligence feeds, a threat intelligence sharing organization, or a language used to represent security information. Those are possible descriptions of STIX, which is a complementary standard to TAXII. References: STIX and TAXII Approved as OASIS Standards to Enable Automated Exchange of Cyber Threat Intelligence, STIX V2.1 and TAXII V2.1 OASIS Standards are published, What is STIX/TAXII? | Cloudflare, What is STIX / TAXII? Learn about the industry standards for Cyber …, What are STIX/TAXII Standards I Resources I Anomali

Explanation

Application layer protocols can represent the same data in a variety of ways. The Firepower System provides

application layer protocol decoders that normalize specific types of packet data into formats that the intrusion

rules engine can analyze. Normalizing application-layer protocol encodings allows the rules engine to effectively

apply the same content-related rules to packets whose data is represented differently and obtain meaningful

results.

The cloud security shared responsibility model is a way of describing how the security tasks and obligations are divided between the cloud service provider (CSP) and the customer, depending on the type of cloud service model used. The cloud service models are:

Software as a Service (SaaS): The CSP provides and manages the entire software stack, including the applications, data, runtime, middleware, operating system, virtualization, servers, storage, and networking. The customer only needs to access the software through a web browser or an application. The customer is responsible for managing their own data and identities, as well as configuring the security settings of the software. The CSP is responsible for everything else, including patching the operating system and the applications12

Platform as a Service (PaaS): The CSP provides and manages the platform layer, including the runtime, middleware, operating system, virtualization, servers, storage, and networking. The customer can deploy and run their own applications and data on the platform, using the tools and languages supported by the CSP. The customer is responsible for managing their own applications and data, as well as configuring the security settings of the platform. The CSP is responsible for patching the operating system and the middleware12

Infrastructure as a Service (IaaS): The CSP provides and manages the infrastructure layer, including the virtualization, servers, storage, and networking. The customer can provision and use virtual machines, containers, or bare metal servers, and install their own operating system, middleware, applications, and data. The customer is responsible for managing and patching their own operating system, middleware, applications, and data, as well as configuring the security settings of the infrastructure. The CSP is responsible for the physical security and availability of the infrastructure12

References := 1: Shared responsibility in the cloud - Microsoft Azure 2: Cloud security shared responsibility model - NCSC

The configuration that is needed to accomplish the goal of adding protection for data in transit and having headers in the email message is to deploy an encryption appliance. An encryption appliance is a device that encrypts and decrypts email messages using various encryption standards, such as S/MIME, PGP, or Cisco Registered Envelope Service (CRES). An encryption appliance can also add headers to the email message to indicate the encryption status, the encryption key, or the encryption policy. An encryption appliance can be integrated with an email appliance, such as Cisco Email Security Appliance (ESA), to provide end-to-end email security and encryption.

The other options are incorrect because:

Provisioning the email appliance is not enough to add protection for data in transit and have headers in the email message. An email appliance can provide various email security features, such as spam filtering, virus scanning, content filtering, or data loss prevention, but it does not encrypt or decrypt email messages by itself. An email appliance needs to work with an encryption appliance to provide email encryption and decryption.

Mapping sender IP addresses to a host interface is not related to adding protection for data in transit and having headers in the email message. This is a configuration option for an email appliance that allows it to accept email messages from specific IP addresses or ranges and assign them to a specific host interface. This can be useful for load balancing, traffic management, or policy enforcement, but it does not affect email encryption or decryption.

Enabling flagged message handling is not relevant to adding protection for data in transit and having headers in the email message. This is a configuration option for an email appliance that allows it to handle email messages that have a specific flag or tag in the subject line or the body. This can be useful for testing, troubleshooting, or applying special policies, but it does not affect email encryption or decryption.

https://learn-umbrella.cisco.com/i/802005-umbrella-security-report/3?

https://www.cisco.com/site/us/en/products/security/endpoint-security/secure-endpoint/index.html#:~:text=Powerful%20EDR%20capabilities,from%20Kenna%20Security.

Cisco Advanced Malware Protection (AMP) for endpoints can be seen as a replacement for the traditional antivirus solution. It is a next generation, cloud delivered endpoint protection platform (EPP), and advanced endpoint detection and response (EDR). Providing Protection – Detection Response

While Cisco Umbrella can enforce security at the DNS-, IP-, and HTTP/S-layer, this report does not require that blocking is enabled and only monitors your DNS activity. Any malicious domains requested and IPs resolved are indicators of compromise (IOC).

Any malicious domains requested and IPs resolved are indicators of compromise (IOC)

Explanation

Cisco Threat Intelligence Director (CTID) can be integrated with existing Threat Intelligence Platforms deployed by your organization to ingest threat intelligence automatically.

Explanation

Cisco Cloudlock: Secure your cloud users, data, and applications with the cloud-native Cloud Access Security

Broker (CASB) and cloud cybersecurity platform.

 Cisco FTD is the recommended solution for this requirement because it allows the administrator to configure URL filtering as part of the access control policy. URL filtering in FTD can block or allow traffic based on the destination URL of a web request, the generalized category of the URL, or the public reputation of the target site. FTD can also use HTTPS URL filtering to inspect encrypted web traffic and block malicious or unwanted sites. FTD supports both local URL lists and external URL filtering servers such as Cisco Talos Intelligence Group (TIG), Websense, or SmartFilter12.

Cisco ASA does not include URL filtering in the access control policy capabilities. ASA can only enable URL filtering for web traffic using external filtering servers such as Websense or SmartFilter. ASA cannot block HTTPS or FTP traffic based on URLs, nor can it use local URL lists or categories. ASA also does not block malicious URLs by default, but relies on the filtering server’s configuration34.

Therefore, option C is the correct answer, and the other options are incorrect. References :=

FTD URL Filtering - How it works? - Cisco Community

Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.2.3 - Access Control

Configuring Filtering Services - Cisco

Configuring URL Filtering - Cisco

Cisco SensorBase gathers threat information from a variety of Cisco products and services, such as Cisco IPS, Cisco ASA, Cisco IronPort, Cisco Umbrella, and Cisco Talos, and performs analytics to find patterns on threats. This process is called consumption, which is one of the four phases of the Cisco Security Intelligence Operations (SIO) framework. The consumption phase involves collecting, aggregating, and analyzing threat data from multiple sources and providing actionable intelligence and tools to customers and partners. The consumption phase also leverages the Cisco SensorBase Network, which is the world’s largest threat monitoring network that tracks millions of domains and IP addresses around the world and maintains a global watch list for Internet traffic. SensorBase provides Cisco with an assessment of reliability for known Internet domains and IP addresses, based on their reputation score, category, volume, and threat level. SensorBase also provides threat data overviews, such as the top email and spam senders by country, and the standard categories used to classify website content and attack types1234. References := 1: How Cisco’s SensorBase works | Network World 2: What is Cisco SensorBase? - networklore.com 3: User Guide for AsyncOS 15.0 for Cisco Secure Web Appliance - GD … 4: Cisco Security Intelligence Operations At-A-Glance

Transparently identify users with authentication realms – This option is available when one or more authentication realms are configured to support transparent identification using one of the following authentication servers:

Active Directory – Create an NTLM or Kerberos authentication realm and enable transparent user identification. In addition, you must deploy a separate Active Directory agent such as Cisco’s Context Directory Agent. For more information, see Transparent User Identification with Active Directory.

LDAP – Create an LDAP authentication realm configured as an eDirectory, and enable transparent user identification. For more information, see Transparent User Identification with LDAP.

Details:

https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_01001.html#:~:text=Transparently%20identify%20users%20with%20authentication,User%20Identification%20with%20LDAP.

Explanation

Explanation

Endpoint protection platforms (EPP) prevent endpoint security threats like known and unknown malware.

Endpoint detection and response (EDR) solutions can detect and respond to threats that your EPP and other security tools did not catch.

EDR and EPP have similar goals but are designed to fulfill different purposes. EPP is designed to provide

device-level protection by identifying malicious files, detecting potentially malicious activity, and providing tools for incident investigation and response.

The preventative nature of EPP complements proactive EDR. EPP acts as the first line of defense, filtering out attacks that can be detected by the organization’s deployed security solutions. EDR acts as a second layer of protection, enabling security analysts to perform threat hunting and identify more subtle threats to the endpoint.

Effective endpoint defense requires a solution that integrates the capabilities of both EDR and EPP to provide protection against cyber threats without overwhelming an organization’s security team.

 The vulnerability that allows the attacker to see the passwords being transmitted in clear text is the lack of encryption on the VPN links. Encryption is a process of transforming data into an unreadable form, so that only authorized parties can access it. VPN (Virtual Private Network) is a technology that creates a secure tunnel between two or more devices over a public network, such as the Internet. VPN links should be encrypted to prevent eavesdropping, tampering, or spoofing of the data that passes through them. If the VPN links are not encrypted, an attacker can use a packet sniffer to intercept and read the data, including the passwords, that are sent over the network. This is called a sniffing attack, and it can lead to credential theft, identity spoofing, or data manipulation. Therefore, VPN links should always use strong encryption protocols, such as IPsec or SSL/TLS, to protect the confidentiality and integrity of the data. References :=

Some possible references are:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 - Cisco: This is the official course page for the SCOR 350-701 exam, which covers the topics of implementing and operating Cisco security core technologies. It provides the course objectives, outline, duration, and prerequisites. It also offers various learning options, such as instructor-led training, e-learning, and practice exams.

SCOR 350-701 Official Cert Guide - Cisco Press: This is the official study guide for the SCOR 350-701 exam, written by Omar Santos, a principal engineer at Cisco’s Security Research and Operations group. It covers all the exam topics in depth, with explanations, examples, exercises, and practice questions. It also includes a companion website with online resources, such as videos, quizzes, flashcards, and more.

Cleartext submission of password - PortSwigger: This is a web security article that explains the vulnerability of transmitting passwords over unencrypted connections, and how to exploit it using Burp Suite, a web application testing tool. It also provides some remediation advice, such as using HTTPS and HSTS to enforce encryption.

What Are Sniffing Attacks, and How Can You Protect Yourself? - EC-Council: This is a blog post that describes what sniffing attacks are, how they work, and what are the common types and tools of sniffing attacks. It also provides some tips on how to prevent or detect sniffing attacks, such as using encryption, VPN, firewall, IDS, and anti-sniffing software.

OWASP Application Security FAQ | OWASP Foundation: This is a frequently asked questions page about application security, maintained by the Open Web Application Security Project (OWASP), a non-profit organization that promotes web security awareness and best practices. It covers various topics, such as authentication, authorization, session management, input validation, output encoding, cryptography, error handling, logging, and more.

Explanation

Explanation

If sysopt permit-vpn is not enabled then an access control policy must be created to allow the VPN traffic through the FTD device. If sysopt permit-vpn is enabled skip creating an access control policy.

Cisco Stealthwatch is a security solution that uses NetFlow to provide visibility across the network, data center, branch offices, and cloud. NetFlow is a protocol that collects and exports statistics on network traffic flows from routers, switches, firewalls, and other devices. NetFlow data can be used to monitor network performance, troubleshoot issues, detect anomalies, and identify security threats. Cisco Stealthwatch analyzes NetFlow data from various sources and correlates it with other contextual information, such as identity, device, location, and threat intelligence. Cisco Stealthwatch then applies advanced behavioral analytics and machine learning to detect and respond to malicious activities, such as data exfiltration, malware infection, insider threats, and denial-of-service attacks. Cisco Stealthwatch also provides comprehensive network visibility and security across hybrid environments, including public cloud, private cloud, and on-premises networks. Cisco Stealthwatch can integrate with other Cisco security solutions, such as Cisco Identity Services Engine (ISE), Cisco Firepower, Cisco Umbrella, and Cisco Advanced Malware Protection (AMP), to enhance network security and incident response capabilities. References:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 8: Cloud and Virtual Network Security, Lesson 8.2: Cisco Stealthwatch Cloud

Cisco Stealthwatch

NetFlow for Cybersecurity and Incident Response

B

 MAB is a fallback authentication method for devices that do not support 802.1X. When MAB is enabled on a switchport, the switch will first try 802.1X and if it fails, it will use the MAC address of the device as the username and password to authenticate it with a RADIUS server. The RADIUS server must have a database of MAC addresses that are allowed on the network. MAB can also support dynamic VLAN assignment and ACLs from the RADIUS server. MAB is not a very secure method because MAC addresses can be easily spoofed or changed. Therefore, MAB should be used with caution and only for devices that cannot use 802.1X. References :=

Some possible references are:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Securing Networks with Cisco Firepower Next Generation Firewall, Lesson 3.2: Deploying Cisco Firepower Next-Generation Firewall, Topic 3.2.2: 802.1X and MAB

MAC Authentication Bypass Deployment Guide, Cisco, MAB Overview, What is MAB?

MAC Authentication Bypass (MAB), NetworkLessons.com, How MAB Works

MAC-based authentication (MAB), RADIUSaaS Docs, How it works

MAC authentication and username/password, Cisco Community, Answer by hslai