350-701 Implementing and Operating Cisco Security Core Technologies (SCOR 350-701) Questions and Answers

ExplanationExplanationStorm control prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on one of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. Errors in the protocol-stack implementation, mistakes in network configurations, or users issuing a denial-of-service attack can cause a storm.By using the “storm-control broadcast level [falling-threshold]” we can limit the broadcast traffic on the switch.

A picture containing application Description automatically generated

Dynamic ARP Inspection (DAI) is a security feature that validates ARP packets on untrusted interfaces by comparing the MAC address to IP address bindings in the DHCP snooping database or an ARP access-list. If the ARP packet contains invalid or spoofed information, it is dropped and logged. DAI also inspects ARP packets on trusted interfaces, but it does not drop them if they are invalid. Instead, it forwards them to the destination without validation. This allows the switch to support devices that use static IP addresses or have legitimate reasons to send ARP packets with different MAC address to IP address bindings. However, this also means that if a spoofed ARP packet is received on a trusted interface, it will bypass the DAI validation and be forwarded to the destination. This could allow an attacker to poison the ARP cache of other devices and perform a man-in-the-middle attack. Therefore, the correct answer is option B. The switch drops the packet after validation by using the IP & MAC Binding Table. References:

• Understanding and Configuring Dynamic ARP Inspection
• DAI (Dynamic ARP Inspection)
• Dynamic ARP Inspection (DAI) Explanation & Configuration
• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0

ExplanationTo understand DHCP snooping we need to learn about DHCP spoofing attack first.

DHCP spoofing is a type of attack in that the attacker listens for DHCP Requests from clients and answers them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP Response often gives its IP address as the client default gateway -> all the traffic sent from the client will go through the attacker computer, the attacker becomes a “man-in-the-middle”.The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the attacker is “closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the DHCP Server so that it can’t send the DHCP Response.DHCP snooping can prevent DHCP spoofing attacks. DHCP snooping is a Cisco Catalyst feature thatdetermines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted.

Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of DHCPmessages. All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP responseis seen on an untrusted port, the port is shut down.

An active/active FlexVPN configuration allows for multiple routers or VRFs to act as hubs for different VPN groups, providing load balancing and redundancy1. This is useful when the VPN deployment has a large number of spokes or different security policies for different groups of spokes. DMVPN, on the other hand, only supports a single hub or a pair of hubs in active/standby mode for each VPN group2. This limits the scalability and flexibility of DMVPN deployments. Therefore, an engineer would opt for an active/active FlexVPN configuration as opposed to DMVPN when multiple routers or VRFs are required. References :=

• Cisco FlexVPN: Benefits and Best Practices
• Cisco DMVPN Design Guide

A Trojan malware attack is a type of malicious code or software that disguises itself as a legitimate program or file to trick users into executing it. Once executed, the Trojan can perform various harmful actions on the infected system or network, such as stealing data, deleting files, or installing other malware. There are different types of Trojan malware attacks, depending on their purpose and behavior. Two common types are:

• Rootkit: A rootkit is a type of Trojan that hides itself and other malware from detection and removal by antivirus software or system tools. A rootkit can modify the operating system or the firmware of the device to gain persistent and privileged access to the system. A rootkit can also intercept and manipulate system calls, network traffic, or user input to conceal its activities or redirect them to malicious servers.
• Backdoor: A backdoor is a type of Trojan that creates a secret or unauthorized access point to the infected system or network. A backdoor can allow an attacker to remotely control the system, execute commands, upload or download files, or monitor the system activity. A backdoor can also be used to install other malware or launch further attacks on other systems or networks.

References:

• [Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0], Module 1: Malware Threats, Lesson 1: Identifying Malware Threats, Topic: Trojan Horse
• What is a Trojan? Is it a virus or is it malware? - Norton™
• Trojan Horse Examples (2024): The 6 Worst Attacks Ever - SoftwareLab

ExplanationExplanationSouthbound APIs enable SDN controllers to dynamically make changes based on real-time demands andscalability needs.

DMVPN and sVTI are both VPN technologies that use IPsec to secure the tunnel traffic. However, they differ in how they establish and manage the tunnels. DMVPN supports dynamic tunnel establishment, which means that the VPN endpoints can create and delete tunnels on demand, based on the routing information. This allows for a scalable and flexible VPN topology, where the endpoints can communicate directly with each other without going through a central hub. sVTI, on the other hand, supports static tunnel establishment, which means that the VPN endpoints have to manually configure the tunnel source and destination addresses. This requires a one-to-one mapping between the endpoints, and limits the VPN topology to a hub-and-spoke model, where the endpoints can only communicate with the hub. Therefore, DMVPN is more suitable for large and dynamic VPN networks, while sVTI is more suitable for small and stable VPN networks. References:

• [Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0], Module 5: Secure Connectivity, Lesson 5.2: Implementing Site-to-Site VPNs, Topic 5.2.3: Dynamic Multipoint VPN (DMVPN)
• what is difference between svti and DVTI? - Cisco Community

 Cisco Firepower is a unified security solution that combines firewall, intrusion prevention system (IPS), advanced malware protection (AMP), and threat intelligence features. Cisco ASA is a traditional firewall that focuses on network traffic control based on packet filtering and stateful inspection. One of the key differences between Cisco Firepower and Cisco ASA is that Cisco Firepower natively provides intrusion prevention capabilities while Cisco ASA does not. Intrusion prevention is the process of detecting and blocking malicious network traffic before it reaches the intended target. Cisco Firepower uses a combination of signature-based and behavior-based detection methods to identify and stop known and unknown attacks. Cisco ASA, on the other hand, does not have built-in intrusion prevention capabilities. It can only perform basic packet inspection and filtering based on predefined rules. To enable intrusion prevention on Cisco ASA, an additional module called FirePOWER Services is required. This module integrates Cisco Firepower features into Cisco ASA, but it is not the same as Cisco Firepower itself. Cisco Firepower offers more advanced and integrated security features than Cisco ASA with FirePOWER Services123. References: 1: Cisco ASA vs Cisco Firepower | What are the differences? - StackShare 2: Cisco FTD vs ASA: Difference and Comparison 3: CISCO FIREPOWER VS. ASA - Critical Design

Explanation Cisco Cloudlock is a cloud-native cloud access security broker (CASB) that helps you move to the cloud safely.It protects your cloud users, data, and apps. Cisco Cloudlock provides visibility and compliance checks,protects data against misuse and exfiltration, and provides threat protections against malware like ransomware.

ExplanationExplanationCryptographic algorithms defined for use with IPsec include:+ HMAC-SHA1/SHA2 for integrity protection and authenticity.+ TripleDES-CBC for confidentiality+ AES-CBC and AES-CTR for confidentiality.+ AES-GCM and ChaCha20-Poly1305 providing confidentiality and authentication together efficiently.

The best way to prevent the session during the initial TCP communication is to configure policies to stop and reject communication from the known malicious domain. This will prevent the ESA from accepting any messages from that domain and send a negative SMTP response code back to the sender. This will also save the ESA’s resources and bandwidth, as it will not have to process or store the malicious emails. This can be done by creating a sender group in the Host Access Table (HAT) that matches the malicious domain and setting the mail flow policy to “Reject” or “Throttle”. Alternatively, a message filter can be created that checks the envelope sender against the malicious domain and applies the “stop_connection” or “reject_connection” action12.

The other options are not as effective as stopping and rejecting the communication at the TCP level. Configuring the Cisco ESA to drop the malicious emails (option A) will still allow the ESA to accept the messages and then silently discard them, which will consume the ESA’s resources and bandwidth, and also not notify the sender of the rejection. Configuring policies to quarantine malicious emails (option B) will also require the ESA to accept and store the messages, which will take up disk space and require manual or automated management of the quarantine. Configuring the Cisco ESA to reset the TCP connection (option D) will abruptly terminate the connection without sending a proper SMTP response code, which may cause the sender to retry the delivery and generate more traffic. Resetting the TCP connection is also considered a less polite and less compliant way of rejecting messages than sending a negative SMTP response code34. References: 1: How to Block a Sender Domain on the Email Security Appliance 2: Message Filters on the Cisco Email Security Appliance 3: How to Configure the Cisco Email Security Appliance to Reject or Drop Messages 4: Cisco Email Security Appliance User Guide - Configuring Mail Policies

ExplanationA posture policy is a collection of posture requirements, which are associated with one or more identity groups, and operating systems. We can configure ISE to check for the Windows patch at Work Centers > Posture > Posture Elements > Conditions > File.In this example, we are going to use the predefined file check to ensure that our Windows 10 clients have the critical security patch installed to prevent the Wanna Cry malware; and we can also configure ISE to update the client with this patch.

A passphrase is a type of protection that encrypts RSA keys when they are exported and imported. A passphrase is a sequence of characters that the user enters to decrypt the key. The passphrase acts as a symmetric key that is used to encrypt and decrypt the RSA key with a symmetric algorithm, such as AES. This way, the RSA key is protected from unauthorized access or tampering when it is transferred or stored. A passphrase can also provide additional security by adding entropy to the RSA key generation process. A file, NGE, and nonexportable are not types of protection that encrypt RSA keys when they are exported and imported. A file is a container that stores the RSA key, but does not encrypt it. NGE stands for Next Generation Encryption, which is a set of cryptographic standards and algorithms that Cisco recommends, but it is not a specific type of protection. Nonexportable is a property that prevents the RSA key from being exported at all, but it does not encrypt it. References: RSA/Schannel Key BLOBs, Common Encryption Types, Protocols and Algorithms Explained, Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 (Module 5: Implementing Secure Communications with VPNs, Lesson 5.1: Implementing Site-to-Site VPNs, Topic 5.1.2: Implementing Site-to-Site VPNs with Pre-Shared Keys)

The main difference between an on-premise solution and a cloud-based solution is the distribution of responsibilities between the customer and the provider. With an on-premise solution, the customer has full control over the installation, configuration, maintenance, and security of the product, but also bears the costs and risks associated with it. With a cloud-based solution, the provider takes care of most of these aspects, while the customer pays a subscription fee and accesses the product over the internet. Therefore, when choosing between the two options, the customer must consider factors such as cost, scalability, performance, availability, security, compliance, and customization. For example, an on-premise solution may be preferred if the customer has strict security or regulatory requirements, or needs a high level of customization. A cloud-based solution may be preferred if the customer wants to reduce capital expenditure, or needs a flexible and scalable solution that can adapt to changing demands. References :=

Some possible references are:

• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Security Concepts, Lesson 1: Describing Information Security Concepts, Topic: Cloud Security
• 350-701 SCOR - Cisco, Exam Topics, 1.0 Security Concepts, 1.6 Compare and contrast the characteristics of a data center and the cloud
• Cloud vs. On-Premise Software Comparison

 The vulnerability that allows the attacker to see the passwords being transmitted in clear text is the lack of encryption on the VPN links. Encryption is a process of transforming data into an unreadable form, so that only authorized parties can access it. VPN (Virtual Private Network) is a technology that creates a secure tunnel between two or more devices over a public network, such as the Internet. VPN links should be encrypted to prevent eavesdropping, tampering, or spoofing of the data that passes through them. If the VPN links are not encrypted, an attacker can use a packet sniffer to intercept and read the data, including the passwords, that are sent over the network. This is called a sniffing attack, and it can lead to credential theft, identity spoofing, or data manipulation. Therefore, VPN links should always use strong encryption protocols, such as IPsec or SSL/TLS, to protect the confidentiality and integrity of the data. References :=

Some possible references are:

• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 - Cisco: This is the official course page for the SCOR 350-701 exam, which covers the topics of implementing and operating Cisco security core technologies. It provides the course objectives, outline, duration, and prerequisites. It also offers various learning options, such as instructor-led training, e-learning, and practice exams.
• SCOR 350-701 Official Cert Guide - Cisco Press: This is the official study guide for the SCOR 350-701 exam, written by Omar Santos, a principal engineer at Cisco’s Security Research and Operations group. It covers all the exam topics in depth, with explanations, examples, exercises, and practice questions. It also includes a companion website with online resources, such as videos, quizzes, flashcards, and more.
• Cleartext submission of password - PortSwigger: This is a web security article that explains the vulnerability of transmitting passwords over unencrypted connections, and how to exploit it using Burp Suite, a web application testing tool. It also provides some remediation advice, such as using HTTPS and HSTS to enforce encryption.
• What Are Sniffing Attacks, and How Can You Protect Yourself? - EC-Council: This is a blog post that describes what sniffing attacks are, how they work, and what are the common types and tools of sniffing attacks. It also provides some tips on how to prevent or detect sniffing attacks, such as using encryption, VPN, firewall, IDS, and anti-sniffing software.
• OWASP Application Security FAQ | OWASP Foundation: This is a frequently asked questions page about application security, maintained by the Open Web Application Security Project (OWASP), a non-profit organization that promotes web security awareness and best practices. It covers various topics, such as authentication, authorization, session management, input validation, output encoding, cryptography, error handling, logging, and more.

Phishing attacks are a type of social engineering that aim to trick users into revealing their personal or financial information, or installing malware on their devices. To control phishing attacks, users and organizations need to implement various preventive and reactive measures, such as:

• Enable browser alerts for fraudulent websites. Most modern browsers have built-in features that can warn users when they visit a website that is suspected of being malicious or impersonating a legitimate entity. These alerts can help users avoid falling for phishing scams that use fake web pages to capture their credentials or other sensitive data. For example, Google Chrome has a Safe Browsing feature that displays a red warning page when users try to access a deceptive site. Users should always pay attention to these alerts and avoid proceeding to untrusted sites.
• Implement email filtering techniques. Email is one of the most common channels for phishing attacks, as attackers can send spoofed messages that appear to come from trusted sources, such as banks, government agencies, or colleagues. Email filtering techniques can help block or flag suspicious emails based on various criteria, such as the sender’s address, the subject line, the content, or the attachments. For example, Microsoft Outlook has a Junk Email Filter that can move potential phishing emails to a separate folder or delete them automatically. Users should also be careful not to open or reply to any unsolicited or unexpected emails, especially those that ask for personal or financial information, or contain links or attachments.

Other mechanisms that can help control phishing attacks include:

• Use strong passwords and enable two-factor authentication. Even if users fall victim to phishing attacks and reveal their passwords, they can still protect their accounts by using strong and unique passwords for each service, and enabling two-factor authentication (2FA) whenever possible. 2FA adds an extra layer of security by requiring users to enter a code or a token that is sent to their phone or email, or generated by an app, in addition to their password. This way, even if attackers obtain the password, they cannot access the account without the second factor.
• Don’t ignore update messages. Users should always keep their operating systems, browsers, and applications updated with the latest security patches and fixes. These updates can help prevent phishing attacks that exploit known vulnerabilities or bugs in the software. Users should also use antivirus and antispyware software that can detect and remove malware that may be installed by phishing attacks.
• Exercise caution when opening emails or clicking on links. Users should always be skeptical and vigilant when they receive emails or messages that ask them to take urgent or unusual actions, such as verifying their account, updating their payment information, or downloading a file. Users should also check the sender’s address, the spelling and grammar, and the URL of any links before clicking on them. Users can hover over the link to see the actual destination, or use a link scanner tool, such as VirusTotal, to check if the link is malicious or not.

References :=

1: https://safebrowsing.google.com/  2: https://support.microsoft.com/en-us/office/overview-of-the-junk-email-filter-5ae3ea8e-cf41-4fa0-b02a-3b96e21de089  3: https://www.virustotal.com/gui/home/url

The aaa server radius dynamic-author command enables authentication, authorization, and accounting (AAA) globally on the device so that Change of Authorization (CoA) is supported. CoA is a feature that allows an external AAA server to dynamically change the attributes of a user session after it is authenticated. For example, the AAA server can send a CoA request to reauthenticate a user, terminate a session, or apply a new policy. The aaa server radius dynamic-author command specifies the IP address and port number of the device that listens for CoA requests from the AAA server. The command also configures the shared secret key that is used to encrypt the communication between the device and the AAA server12. References := 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Securing Networks with Cisco Firepower Next Generation Firewall, Lesson 3.2: Deploying Cisco Firepower Next-Generation Firewall, Topic 3.2.2: Cisco Firepower NGFW Device Management 2: Authentication, Authorization, and Accounting Configuration Guide, Cisco IOS Release 15SY - RADIUS Change of Authorization [Support] - Cisco3

ExplanationAdvanced Malware Protection (AMP) for Endpoints offers a variety of lists, referred to as Outbreak Control, that allow you to customize it to your needs. The main lists are: Simple Custom Detections, Blocked Applications, Allowed Applications, Advanced Custom Detections, and IP Blocked and Allowed Lists.A Simple Custom Detection list is similar to a blocked list. These are files that you want to detect andquarantine.Allowed applications lists are for files you never want to convict. Some examples are a custom application that is detected by a generic engine or a standard image that you use throughout the company Reference: https://docs.amp.cisco.com/AMP%20for%20Endpoints%20User%20Guide.pdf

In order to send web traffic transparently to the Web Security Appliance (WSA), the system administrator can use one of these two methods:

• Policy-based routing (PBR) on the network infrastructure: This method allows the administrator to define routing policies based on the source or destination IP address, port number, protocol, or other criteria of the web traffic. The administrator can then apply these policies to the network interfaces or subinterfaces and redirect the matching traffic to the WSA. This method does not require any configuration on the client side and can be applied to any type of web traffic, including HTTPS and FTP. However, this method may require additional network resources and maintenance, as well as coordination with other network administrators.
• Web Cache Communication Protocol (WCCP) on the WSA and the network device: This method allows the administrator to configure the WSA and the network device (such as a router, switch, or firewall) to communicate with each other using WCCP, a Cisco proprietary protocol. The network device acts as a WCCP router and redirects the web traffic to the WSA, which acts as a WCCP client. The WSA then processes the traffic and returns it to the network device, which forwards it to the original destination. This method does not require any configuration on the client side and can be applied to HTTP, HTTPS, and native FTP traffic. However, this method requires that the network device supports WCCP and that the WSA and the network device are in the same Layer 2 domain.

References:

Northbound APIs (SDN northbound APIs) are typically RESTful APIs that are used to communicate between the SDN controller and the services and applications running over the network. Such northbound APIs can be used for the orchestration and automation of the network components to align with the needs of different applications via SDN network programmability1. The management solution is an example of an application that can use the northbound APIs to interact with the SDN controller and configure, monitor, and troubleshoot the network devices and services2. Therefore, the main function of northbound APIs in the SDN architecture is to enable communication between the SDN controller and the management solution. References: 1: What are SDN Northbound APIs (and SDN Rest APIs)? - SDxCentral 2: Software-Defined Networking Security and Network Programmability

Cisco FTDv in AWS can be deployed in two different deployment models: single-instance and cluster. In both models, the FTDv can be configured in routed mode and managed by either an FMCv installed in AWS or a physical FMC appliance on premises. The FTDv can also use Geneve encapsulation for traffic interfaces to support AWS Gateway Load Balancer (GWLB) integration. The following table summarizes the supported deployment model configurations for FTDv in AWS:

Table

Deployment Model

Management Mode

Traffic Mode

Geneve Encapsulation

Single-instance

FMCv in AWS

Routed

Optional

Single-instance

FMC on premises

Routed

Optional

Cluster

FMCv in AWS

Routed

Required

Cluster

FMC on premises

Routed

Required

References :=

• Deploy the Threat Defense Virtual on AWS - Cisco
• Deploy a Threat Defense Virtual Cluster on AWS - Cisco
• Configure Geneve Interfaces in Secure FTDv - Cisco
• Deployment of Cisco Secure FTDv and FMCv instances in AWS - Terraform
• Solved: FTD virtual appliance in AWS - Cisco Community

Explanation To understand DHCP snooping we need to learn about DHCP spoofing attack first.

DHCP spoofing is a type of attack in that the attacker listens for DHCP Requests from clients and answers them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP Response often gives its IP address as the client default gateway -> all the traffic sent from the client will go through the attacker computer, the attacker becomes a “man-in-the-middle”.The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the attacker is “closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the DHCP Server so that it can’t send the DHCP Response.DHCP snooping can prevent DHCP spoofing attacks. DHCP snooping is a Cisco Catalyst feature thatdetermines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted.

Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of DHCP

messages. All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP response is seen on an untrusted port, the port is shut down.

The port connected to a DHCP server should be configured as trusted port with the “ip dhcp snooping trust” command. Other ports connecting to hosts are untrusted ports by default.

In this question, we need to configure the uplink to “trust” (under interface Gi1/0/1) as shown below.

 The dot1x system-auth-control command enables 802.1X globally on a Cisco switch. This command allows the switch to act as an authenticator for 802.1X clients connected to the switch ports. The switch will then communicate with a RADIUS server to authenticate the clients and grant or deny access to the network. The other commands are not related to enabling 802.1X globally. The dot1x pae authenticator command enables 802.1X authentication on a specific interface. The authentication port-control aut command enables automatic port-based authentication on an interface. The aaa new-model command enables the AAA framework for authentication, authorization, and accounting. References :=

https://www.cisco.com/c/en/us/support/docs/smb/switches/cisco-small-business-300-series-managed-switches/smb5635-configure-global-802-1x-properties-on-a-switch-through-the-c.html

https://www.cisco.com/c/en/us/td/docs/routers/nfvis/switch_command/b-nfvis-switch-command-reference/802_1x_commands.html

Dynamic ARP Inspection (DAI) is a security feature that validates ARP packets in a network. DAI allows a network administrator to intercept, log, and discard ARP packets with invalid MAC address to IP address bindings. This capability protects the network from certain “man-in-the-middle” attacks. DAI determines the validity of an ARP packet based on valid IP to MAC address bindings from the DHCP snooping binding database. DAI also supports static ARP ACLs for hosts with static IP addresses. DAI checks all ARP packets on untrusted interfaces, and only forwards the packets that have valid bindings. DAI can also rate-limit the ARP packets on untrusted interfaces to prevent DoS attacks. The other options are incorrect because:

• B. In a typical network, DAI should be configured to make all ports as untrusted except for the ports connecting to trusted hosts or switches, which are trusted.
• C. DAI does not associate a trust state with each switch, but with each interface on the switch.
• D. DAI intercepts all ARP requests and responses on untrusted ports only, not on trusted ports. References :=

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/dynarp.html

https://study-ccna.com/dynamic-arp-inspection-dai/

ExplanationThe Southbound API is used to communicate between Controllers and network devices

a Cisco FirePower sensor to Firepower Management Center is configure manager add . This command establishes a secure connection between the sensor and the FMC using a registration key. The  parameter can be either the IP address or the hostname of the FMC. The  parameter can be any alphanumeric string that matches the one configured on the FMC. This command is executed on the sensor’s CLI in the privileged EXEC mode12. References: 1: Implementing and Operating Cisco Security Core Technologies (SCOR) course, Module 2: Network Security, Lesson 2: Deploying Cisco Firepower Next-Generation Firewall, Topic: Registering the Cisco Firepower NGFW to the FMC2: Firepower Management Center Configuration Guide, Version 6.6 - Device Management Basics [Cisco Secure Firewall Management Center] - Cisco.

 ICMP is a protocol that is used to send diagnostic messages between hosts on a network. It is not designed to carry any data, but it can be abused by attackers to exfiltrate data from a compromised host. By encrypting the payload in an ICMP packet, the attacker can hide the data from network monitoring tools and firewalls that may not inspect ICMP traffic. The attacker can then use another tool to decrypt the data from the ICMP packets on a remote host. This technique is known as ICMP tunneling and it is a form of protocol tunneling (MITRE T1572: Protocol Tunneling1). References:

• 1: https://attack.mitre.org/techniques/T1572/
• 2: https://www.cynet.com/attack-techniques-hands-on/how-hackers-use-icmp-tunneling-to-own-your-network/
• 3: https://digital-security.quodagis.fr/ressources/ressource/exfiltration-de-donnees-les-techniques-icmp-et-dns-tunneling-855

Endpoint Protection Platform (EPP) and Endpoint Detection and Response (EDR) are both important components of an endpoint security strategy, but they have different goals and capabilities. EPP is designed to act as a preventive security measure, blocking known and unknown malware and malicious activity on endpoint devices using various techniques such as antivirus, data encryption, and data loss prevention. EPP solutions are mainly cloud-managed and assisted by cloud data, and use multiple detection engines such as signature-based, machine learning, and behavioral analysis. EPP solutions prevent breaches by leveraging threat intelligence and sandboxing capabilities to continuously protect endpoints from emerging threats12.

EDR, on the other hand, focuses on detecting and responding to advanced threats that have already evaded the front-line defenses and infiltrated the environment. EDR solutions provide continuous and comprehensive visibility into endpoint activity in real time, allowing security teams to quickly and effectively identify and remediate cyberattacks such as ransomware and fileless malware. EDR solutions offer advanced threat detection, investigation, and response capabilities, including incident data search and investigation, alert triage, suspicious activity validation, threat hunting, and malicious activity detection and containment. EDR solutions serve as a safety net to capture threats that go undetected by traditional antivirus software and uncover incidents that would otherwise remain invisible34.

Therefore, the primary difference between an EPP and an EDR is that EPP focuses on prevention, and EDR focuses on advanced threats that evade perimeter defenses. References: 1: Endpoint Protection Platform (EPP) Definition - Cisco 2: EPP vs. EDR: Why You Need Both - CrowdStrike 3: Endpoint Detection and Response (EDR) Definition - Cisco 4: EDR vs EPP: Why Should You Have to Choose? - Check Point Software

ExplanationExplanationCisco standard NetFlow version 5 defines a flow as a unidirectional sequence of packets that all share seven values which define a unique key for the flow:+ Ingress interface (SNMP ifIndex)+ Source IP address+ Destination IP address+ IP protocol+ Source port for UDP or TCP, 0 for other protocols+ Destination port for UDP or TCP, type and code for ICMP, or 0 for other protocols+ IP Type of ServiceNote: A flow is a unidirectional series of packets between a given source and destination.

A virus is a type of malware that infects a computer system by attaching itself to another program or file. Once executed, the virus can replicate itself and spread to other files or systems. A virus can be used to gain unauthorized access to a computer system by exploiting software vulnerabilities, stealing credentials, or installing backdoors. A virus can also cause damage to the system by deleting, modifying, or encrypting data, or consuming system resources. According to the Implementing and Operating Cisco Security Core Technologies (SCOR) course, viruses are one of the most common forms of malware and can be classified into different types based on their behavior, such as boot sector viruses, file infectors, macro viruses, or polymorphic viruses1. References: 1: Implementing and Operating Cisco Security Core Technologies (SCOR) course, Module 1: Malware Analysis, Lesson 1: Malware Types and Characteristics, Topic: Virus.

ExplanationIn this IaaS model, cloud providers offer resources to users/machines that include computers as virtualmachines, raw (block) storage, firewalls, load balancers, and network devices.Note: Cloud access security broker (CASB) provides visibility and compliance checks, protects data against misuse and exfiltration, and provides threat protections against malware such as ransomware.

Graphical user interface Description automatically generated with low confidence

Cisco DNA Center APIs are RESTful APIs that allow you to automate and operate your network at scale, using Python scripts or other tools. They are not Cisco proprietary, as they follow the OpenAPI specification and can be accessed by any client that supports HTTP requests. They do not require Postman, although Postman is a useful tool to test and explore the API endpoints. They can quickly provision new devices by applying predefined templates and workflows, and they can view the overall health of the network by retrieving metrics and alerts from various sources. References :=

• Cisco DNA Center Platform - Cisco DevNet
• Introduction to Cisco DNA Center REST APIs - Cisco DevNet Learning Labs
• Cisco DNA Center Platform User Guide, Release 2.3.4

The Southbound API is used to communicate between Controllers and network devices.

One of the key capabilities of endpoint security is to prevent phishing attacks by ensuring that antivirus and anti malware software is up to date. This helps to detect and block malicious attachments or links that may be embedded in phishing emails. Antivirus and anti malware software can also scan the endpoint for any signs of compromise or infection that may have resulted from a successful phishing attack. Additionally, endpoint security can provide data loss prevention (DLP) features that can prevent sensitive data from being exfiltrated by attackers who have gained access to the endpoint through phishing. References :=

Some possible references are:

• Endpoint Security and Phishing: What to Know
• Protect Against Spear Phishing with Endpoint Security
• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 (source book)

ExplanationExplanationDevSecOps (development, security, and operations) is a concept used in recent years to describe how to movesecurity activities to the start of the development life cycle and have built-in security practices in the continuousintegration/continuous deployment (CI/CD) pipeline. Thus minimizing vulnerabilities and bringing security closerto IT and business objectives.Three key things make a real DevSecOps environment:+ Security testing is done by the development team.+ Issues found during that testing is managed by the development team.+ Fixing those issues stays within the development team.

ExplanationExplanationA teardrop attack is a denial-of-service (DoS) attack that involves sending fragmented packets to a targetmachine. Since the machine receiving such packets cannot reassemble them due to a bug in TCP/IPfragmentation reassembly, the packets overlap one another, crashing the target network device. This generally happens on older operating systems such as Windows 3.1x, Windows 95, Windows NT and versions of the Linux kernel prior to 2.1.63.

ExplanationExplanationA Directory Harvest Attack (DHA) is a technique used by spammers to find valid/existent email addresses at a domain either by using Brute force or by guessing valid e-mail addresses at a domain using differentpermutations of common username. Its easy for attackers to get hold of a valid email address if yourorganization uses standard format for official e-mail alias (for example: jsmith@example.com). We canconfigure DHA Prevention to prevent malicious actors from quickly identifying valid recipients.Note: Lightweight Directory Access Protocol (LDAP) is an Internet protocol that email programs use to look up contact information from a server, such as ClickMail Central Directory. For example, here’s an LDAP search translated into plain English: “Search for all people located in Chicago who’s name contains “Fred” that have an email address. Please return their full name, email, title, and description.

The Python script in the exhibit uses the Cisco AMP for Endpoints API to get information about the computers in the deployment. It imports the requests library, which allows it to make HTTP requests. It then defines three variables: client_id, api_key, and url. These are used to authenticate and access the API endpoint. The url is set to ‘1’, which returns a list of computers in JSON format. The script then makes a GET request using the requests.get() method, passing the url and the authentication details as parameters. The response from the API is stored in the response variable, and converted to JSON using the response.json() method. The script then loops over each computer in the ‘data’ field of the JSON response, using a for loop. Inside the loop, it extracts the hostname of each computer using the ‘hostname’ key, and prints it using the print() function. Therefore, the script will pull all computer hostnames and print them, which is option C. References:

• Overview of the Cisco AMP for Endpoints API
• Secure Endpoint API - Cisco DevNet
• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0

 Multi-factor authentication (MFA) is a method of verifying a user’s identity by requiring two or more factors, such as something the user knows (e.g. password), something the user has (e.g. token), or something the user is (e.g. biometric). MFA can prevent or mitigate some common types of cyberattacks that rely on stealing or guessing a user’s credentials, such as phishing and brute force attacks12

• Phishing is an attack where an attacker sends a fraudulent email or message that appears to come from a legitimate source, such as a bank or a government agency, and tries to trick the user into clicking on a malicious link or attachment, or providing their credentials or personal information34 MFA can prevent phishing attacks by requiring an additional factor of authentication that the attacker cannot obtain from the phishing email or message, such as a one-time password (OTP) sent to the user’s phone or email, or a biometric verification such as a fingerprint or face scan56

• Brute force is an attack where an attacker tries to guess a user’s password by systematically trying different combinations of characters, words, or phrases until they find the correct one. MFA can prevent brute force attacks by requiring an additional factor of authentication that the attacker cannot guess, such as a physical token or a push notification that the user has to approve.

References: 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 course overview 2: What Type of Attacks Does MFA Prevent? | OneLogin 3: 5 Multi-Factor Authentication Vulnerabilities and How to Resolve Them 4: FBI warns about attacks that bypass multi-factor authentication (MFA) 5: Defend your users from MFA fatigue attacks - Microsoft Community Hub 6: What type of attacks does Multi-Factor Authentication prevent? : How to Prevent Brute Force Attacks | Cloudflare : Brute Force Attack - an overview | ScienceDirect Topics : Multi-factor authentication - Wikipedia : Multi-factor authentication fatigue attacks are on the rise: How to defend against them | CSO Online

Anycast IP is a component of Cisco umbrella architecture that increases reliability of the service by allowing the same IP address to exist on multiple servers around the world. This way, the user’s request is automatically routed to the nearest and fastest data center, and failover is seamless in case of an outage. Anycast IP also reduces latency and improves performance by using BGP to select the shortest path to the destination12. References := 1: Why Cisco Umbrella uses anycast routing - Cisco Umbrella 2: Cisco Umbrella At a Glance

ExplanationExplanationEach rule also has an action, which determines whether you monitor, trust, block, or allow matching traffic.Note: With action “trust”, Firepower does not do any more inspection on the traffic. There will be no intrusion protection and also no file-policy on this traffic.

ExplanationSymmetric encryption uses a single key that needs to be shared among the people who need to receive the message while asymmetric encryption uses a pair of public key and a private key to encrypt and decrypt messages when communicating.Asymmetric encryption takes relatively more time than the symmetric encryption.Diffie Hellman algorithm is an asymmetric algorithm used to establish a shared secret for a symmetric keyalgorithm. Nowadays most of the people uses hybrid crypto system i.e, combination of symmetric andasymmetric encryption. Asymmetric Encryption is used as a technique in key exchange mechanism to share secret key and after the key is shared between sender and receiver, the communication will take place using symmetric encryption. The shared secret key will be used to encrypt the communication.Triple DES (3DES), a symmetric-key algorithm for the encryption of electronic data, is the successor of DES (Data Encryption Standard) and provides more secure encryption then DES.Note: Although “requires secret keys” option in this question is a bit unclear but it can only be assigned toSymmetric algorithm.

ExplanationExplanation… we will showcase Cisco Threat Intelligence Director (CTID) an exciting feature on Cisco’s FirepowerManagement Center (FMC) product offering that automates the operationalization of threat intelligence. TID has the ability to consume threat intelligence via STIX over TAXII and allows uploads/downloads of STIX and simple blacklists. Reference: https://blogs.cisco.com/developer/automate-threat-intelligence-using-cisco-threat-intelligencedirector

ExplanationA data breach is the intentional or unintentional release of secure or private/confidential information to anuntrusted environment.When your credentials have been compromised, it means someone other than you may be in possession of your account information, such as your username and/or password.

ExplanationExplanationHow To Troubleshoot ISE Failed Authentications & AuthorizationsCheck the ISE Live LogsLogin to the primary ISE Policy Administration Node (PAN).Go to Operations > RADIUS > Live Logs(Optional) If the event is not present in the RADIUS Live Logs, go to Operations > Reports > Reports >Endpoints and Users > RADIUS AuthenticationsCheck for Any Failed Authentication Attempts in the Log

Application Description automatically generated with low confidence

ExplanationThe Firepower System uses network discovery and identity policies to collect host, application, and user data for traffic on your network. You can use certain types of discovery and identity data to build a comprehensive map of your network assets, perform forensic analysis, behavioral profiling, access control, and mitigate and respond to the vulnerabilities and exploits to which your organization is susceptible.The Cisco Advanced Malware Protection (AMP) solution enables you to detect and block malware, continuously analyze for malware, and get retrospective alerts. AMP for Networks delivers network-based advanced malware protection that goes beyond point-in-time detection to protect your organization across the entire attack continuum – before, during, and after an attack. Designed for Cisco Firepower® network threat appliances, AMP for Networks detects, blocks, tracks, and contains malware threats across multiple threat vectors within a single system. It also provides the visibility and control necessary to protect your organization against highly sophisticated, targeted, zero-day, and persistent advanced malware threats.

ExplanationCommunity Cloud allows system and services to be accessible by group of organizations. It shares theinfrastructure between several organizations from a specific community. It may be managed internally byorganizations or by the third-party.

Text, chat or text message Description automatically generated

ExplanationYou can configure discovery rules to tailor the discovery of host and application data to your needs.The Firepower System can use data from NetFlow exporters to generate connection and discovery events, and to add host and application data to the network map.A network analysis policy governs how traffic is decoded and preprocessed so it can be further evaluated, especially for anomalous traffic that might signal an intrusion attempt -> Answer D is not correct.

 Secret key cryptography, also known as symmetric key cryptography, is a type of encryption where a single secret key is used for both encryption and decryption of a message. The cryptographic key is kept secret between the sender and receiver, making it difficult for anyone else to decipher the message. Some of the functions of secret key cryptography are:

• Key selection without integer factorization: Secret key cryptography does not rely on complex mathematical problems such as integer factorization or discrete logarithms to generate keys. Instead, the keys are chosen randomly or derived from a passphrase or a shared secret. This makes the key generation process faster and simpler than in public key cryptography.
• Utilization of less memory: Secret key cryptography uses less memory than public key cryptography, as it only requires one key to be stored and managed. Public key cryptography, on the other hand, requires two keys (public and private) for each user, which increases the memory overhead and complexity of key management.

The other options are not functions of secret key cryptography, but rather characteristics of public key cryptography or asymmetric cryptography, which is a different type of encryption where different keys are used for encryption and decryption. Public key cryptography has the following features:

• Utilization of different keys for encryption and decryption: Public key cryptography uses a pair of keys, one public and one private, for each user. The public key can be shared with anyone, while the private key must be kept secret. The public key is used to encrypt messages, while the private key is used to decrypt them. This allows users to communicate securely without having to exchange a secret key beforehand.
• Utilization of large prime number iterations: Public key cryptography relies on hard mathematical problems such as integer factorization or discrete logarithms to generate keys. These problems involve finding the prime factors of large numbers or finding the discrete logarithms of numbers in a finite field. These problems are easy to solve in one direction, but hard to solve in the reverse direction. For example, it is easy to multiply two large prime numbers, but hard to find the prime factors of the product. This makes the keys hard to break by brute force or other methods.
• Provides the capability to only know the key on one side: Public key cryptography enables users to encrypt messages without knowing the recipient’s key, and vice versa. This is possible because the encryption and decryption keys are different and mathematically related. For example, Alice can encrypt a message with Bob’s public key, and only Bob can decrypt it with his private key. Alice does not need to know Bob’s private key, and Bob does not need to know Alice’s key. This also enables public key cryptography to support digital signatures, which are a way of verifying the identity and integrity of a message.

References :=

• What Is Secret Key Cryptography? A Complete Guide - Helenix
• Definition of Secret-key Cryptography - Gartner

Cisco FTDv is a virtual appliance that combines the features of Cisco ASA and Cisco Firepower NGIPS. It provides stateful firewall, IPS, URL filtering, malware protection, and other advanced security functions. Cisco ASAv is a virtual appliance that only provides stateful firewall and VPN features. It does not support URL filtering or other Firepower functions. Therefore, Cisco FTDv provides more features than ASAv, especially for next-generation firewall capabilities. References :=

• Cisco Firewall in AWS - Should i use ASAv or FTDv/FMCv?
• Difference between Cisco ASAv, NGIPSv and FTDv…?
• Are there any differences in features between Cisco ASA hardware …

ExplanationExplanationThe Mail Policies menu is where almost all of the controls related to email filtering happens. All the security and content filtering policies are set here, so it’s likely that, as an ESA administrator, the pages on this menu are where you are likely to spend most of your time.

 The product that allows Cisco FMC to push security intelligence observable to its sensors from other products is Threat Intelligence Director (TID). TID is a feature of Cisco FMC that enables you to integrate third-party threat intelligence feeds into your security policies. TID collects, aggregates, and correlates observables from multiple sources, such as Cisco Talos Intelligence, Cisco Umbrella, and other external providers. TID then pushes the observables to the sensors that are managed by FMC, such as Firepower Threat Defense (FTD) devices, Firepower appliances, and Cisco Secure Firewall Cloud Native. The sensors can then use the observables to block or monitor traffic based on the reputation and threat level of the IP addresses, URLs, and domains12.

References: 1: Firepower Management Center Configuration Guide, Version 6.6 - Threat Intelligence Director [Cisco Secure Firewall Management Center] - Cisco 2: Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.6 - Threat Intelligence Director [Cisco Firepower NGFW] - Cisco

Cisco Cloudlock is a cloud-native security platform that provides data loss prevention (DLP) capabilities for public cloud environments, such as SaaS, IaaS, and PaaS. Cisco Cloudlock can discover, classify, and protect sensitive data stored in cloud applications, such as Office 365, Google Workspace, Salesforce, Dropbox, and AWS. Cisco Cloudlock uses advanced techniques, such as regular expressions, keywords, dictionaries, and machine learning, to identify and monitor data based on predefined or custom policies. Cisco Cloudlock can also enforce actions, such as encryption, quarantine, deletion, or notification, to prevent data leakage or exposure12. References := 1: Cisco Cloudlock Data Sheet 2: Cloud Data Loss Prevention (Cloud DLP) Overview

ExplanationPhishing is a form of social engineering. Phishing attacks use email or malicious web sites to solicit personal,often financial, information. Attackers may send email seemingly from a reputable credit card company orfinancial institution that requests account information, often suggesting that there is a problem.

Cisco AMP (Advanced Malware Protection) is a product that provides proactive endpoint protection and allows administrators to centrally manage the deployment. AMP uses cloud-based intelligence, sandboxing, and continuous analysis to detect and block advanced threats before they reach the endpoints. AMP also provides retrospective security, which means that it can alert and remediate endpoints if a file that was previously deemed benign is later found to be malicious. AMP can be integrated with other Cisco products, such as Firepower, Meraki, and Email Security Appliance, to provide comprehensive security across the network. AMP is available for Windows, Mac, Linux, Android, and iOS devices. References :=

Some possible references are:

• Endpoint Protection Platform (EPP) Definition - Cisco: This page defines what an endpoint protection platform (EPP) is and how it differs from traditional antivirus solutions. It also explains the benefits of using Cisco Secure Endpoint, formerly known as AMP for Endpoints.
• Cisco Secure Endpoint (Formerly AMP for Endpoints) - Cisco: This page provides an overview of the features and capabilities of Cisco Secure Endpoint, such as cloud-based intelligence, endpoint isolation, file trajectory, device flow correlation, and more. It also offers resources for getting started, deploying, and managing Cisco Secure Endpoint.
• SCOR 350-701 Flashcards | Quizlet: This page contains flashcards for the SCOR 350-701 exam, which covers the topics of implementing and operating Cisco security core technologies. One of the flashcards is the same question as the one asked by the user, and it provides the correct answer and a brief explanation.

Traffic storm control is a feature that prevents LAN ports from being disrupted by a broadcast, multicast, or unicast traffic storm on physical interfaces. Traffic storm control monitors the level of each traffic type for which it is enabled in 1-second intervals and compares it with the configured threshold, which is a percentage of the total available bandwidth of the port. When the ingress traffic reaches the threshold, traffic storm control drops the traffic until the end of the interval. Traffic storm control uses the Individual/Group bit in the packet destination address to determine if the packet is unicast or broadcast. This bit is set to 0 for unicast addresses and 1 for multicast or broadcast addresses. Traffic storm control does not use the source address to classify the traffic type. References := Configuring Traffic Storm Control - Cisco, Understanding Cisco Traffic Storm Control - NetCraftsmen

ExplanationMalware means “malicious software”, is any software intentionally designed to cause damage to a computer, server, client, or computer network. The most popular types of malware includes viruses, ransomware and spyware. Virus Possibly the most common type of malware, viruses attach their malicious code to clean code and wait to be run.

Ransomware is malicious software that infects your computer and displays messages demanding a fee to be paid in order for your system to work again.Spyware is spying software that can secretly record everything you enter, upload, download, and store on your computers or mobile devices. Spyware always tries to keep itself hidden.An exploit is a code that takes advantage of a software vulnerability or security flaw.Exploits and malware are two risks for endpoints that are not up to date. ARP spoofing and eavesdropping are attacks against the network while denial-of-service attack is based on the flooding of IP packets.

 IOS zone-based firewalls (ZBFW) are a feature that provides stateful firewall policies between groups of interfaces known as zones. A zone is a logical grouping of one or more interfaces that have similar security requirements. A zone can be applied to physical interfaces, subinterfaces, port channels, VLAN interfaces, or tunnel interfaces. However, an interface can be assigned only to one zone, and it cannot be shared between zones. This is because the ZBFW policy is applied between zones, not interfaces, and it controls the bidirectional traffic flow between them. Therefore, an interface can belong to only one zone at a time, and it must be removed from one zone before it can be added to another zone. This ensures that the firewall policy is consistent and unambiguous for each interface.

References :=

• Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Gibraltar 16.12.x, Configuring Zones
• Understand the Zone-Based Policy Firewall Design, Zone-Based Policy Overview
• IOS Zone Based Firewall Step-by-Step Basic Configuration, Zone Based Firewall Vs CBAC

ExplanationWith Cisco pxGrid (Platform Exchange Grid), your multiple security products can now share data and work together. This open, scalable, and IETF standards-driven platform helps you automate security to get answers and contain threats faster.

 Suppression is a feature of Cisco Next Generation Intrusion Prevention System (NGIPS) that allows you to reduce false positives and unwanted alerts by filtering out specific traffic from the intrusion detection and prevention process. You can configure suppression based on different criteria, such as port, rule, source, destination, and network. The two valid suppression types for this question are port and rule. Port suppression allows you to exclude traffic based on the source or destination port number, or both. For example, you can suppress alerts for port 80 (HTTP) traffic if you are not interested in web-based attacks. Rule suppression allows you to exclude traffic based on the rule ID (SID) or the rule category. For example, you can suppress alerts for rules that belong to the policy-violations category if you are not concerned about them. You can also suppress alerts for specific rules that are not relevant to your network or generate too many false positives. References

ExplanationDNS Tunneling is a method of cyber attack that encodes the data of other programs or protocols in DNSqueries and responses. DNS tunneling often includes data payloads that can be added to an attacked DNSserver and used to control a remote server and applications.

In transparent mode, the WSA can handle both explicit and transparent HTTP requests, depending on how the client browser is configured. The WSA must pretend to be the origin content server for transparent requests, since the client is unaware of the existence of a proxy1. WCCP v2 is a protocol that allows a WCCP-enabled device (such as a router or a switch) to redirect traffic to the WSA based on certain criteria, such as destination port 802. This way, the client does not need to configure a proxy or a PAC file in the browser. The other options are false because they are either required for explicit mode or not supported by the WSA. References :=

• What is the difference between transparent and forward proxy mode?
• Configure Transparent Redirection With WCCP in Order to Support HTTP, HTTPS, and Native FTP Traffic

ExplanationCisco Hybrid Email Security is a unique service offering that facilitates the deployment of your email securityinfrastructure both on premises and in the cloud. You can change the number of on-premises versus cloudusers at any time throughout the term of your contract, assuming the total number of users does not change.This allows for deployment flexibility as your organization’s needs change.

Explanation

A buffer overflow (or buffer overrun) occurs when the volume of data exceeds the storage capacity of the memory buffer. As a result, the program attempting to write the data to the buffer overwrites adjacent memory locations.

Buffer overflow is a vulnerability in low level codes of C and C++. An attacker can cause the program to crash, make data corrupt, steal some private information or run his/her own code. It basically means to access any buffer outside of it’s alloted memory space. This happens quite frequently in the case of arrays.

ExplanationThis command uses RADIUS which combines authentication and authorization in one function (packet).

A traffic profile is a graph of network traffic based on connection data collected over a profiling time window (PTW). This measurement presumably represents normal network traffic. After the learning period, you can detect abnormal network traffic by evaluating new traffic against your profile. You can also set up inactive periods in traffic profile to exclude data that does not reflect normal network behavior. You can use traffic profiles to write correlation rules that trigger when the traffic deviates from the profile by a certain threshold or standard deviation. This way, you can identify and respond to potential attacks or security policy violations that cause traffic anomalies. References :=

Some possible references are:

• Firepower Management Center Configuration Guide, Version 6.0 - Traffic Profiling
• Cisco Next-Generation Intrusion Prevention System (NGIPS)
• Which statement describes a traffic profile on a Cisco Next Generation Intrusion Prevention System?

To enable malware file scanning for the Secure Internet Gateway (SIG), you need to enable Intelligent Proxy, which is a feature of Cisco Umbrella that provides selective proxying of web requests based on the risk level of the domain1. Intelligent Proxy allows SIG to inspect the content of potentially malicious web requests and block or allow them based on the configured policies2. Intelligent Proxy also enables SSL decryption, which is necessary to scan encrypted web traffic for malware3. Enabling IP Layer enforcement, activating the Advanced Malware Protection license, and activating SSL decryption are not required prerequisites to enable malware file scanning for the SIG, although they may provide additional security benefits45. References: 1: Intelligent Proxy - Cisco Umbrella 2: Cisco Umbrella SIG Advantage - Cisco Umbrella 3: [SSL Decryption - Cisco Umbrella] 4: [IP Layer Enforcement - Cisco Umbrella] 5: [Advanced Malware Protection - Cisco Umbrella]

The Cisco DNA Center API provides the ability to program and monitor networks from somewhere other than the DNAC GUI. The API is a set of RESTful web services that allow users to interact with Cisco DNA Center programmatically. The API can be used to automate tasks, integrate with third-party applications, or create custom applications. The API exposes the same functionality as the DNAC GUI, such as design, provision, policy, assurance, and platform1. The API also provides documentation, examples, and testing tools for each API call1. References :=

• Cisco DNA Center User Guide, Release 2.3.3
• Cisco DNA Center User Guide, Release 2.2.2
• DNAC Tour Part 1: Introduction to Cisco DNA Center
• Cisco DNA Center Platform User Guide, Release 2.2.2

ExplanationThe syntax of this command is shown below:snmp-server group [group-name {v1 | v2c | v3 [auth | noauth | priv]}] [read read-view] [write write-view] [notify notify-view] [access access-list]The command above restricts which IP source addresses are allowed to access SNMP functions on the router. You could restrict SNMP access by simply applying an interface ACL to block incoming SNMP packets that don’t come from trusted servers. However, this would not be as effective as using the global SNMP commands shown in this recipe. Because you can apply this method once for the whole router, it is much simpler than applying ACLs to block SNMP on all interfaces separately. Also, using interface ACLs would block not only SNMP packets intended for this router, but also may stop SNMP packets that just happened to be passing through on their way to some other destination device.

Cisco Security Intelligence is a feature that allows you to block or monitor traffic based on IP addresses or domain names that are known to be malicious or suspicious. Cisco Security Intelligence requires a Protect license on the Cisco Next Generation Intrusion Prevention System (NGIPS), which is part of the Firepower Threat Defense (FTD) software. A Protect license allows you to perform intrusion detection and prevention, file control, and Security Intelligence filtering1. The other license options (control, malware, and URL filtering) do not enable Cisco Security Intelligence on the NGIPS. References:

• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, section “Security Intelligence”
• Firepower Management Center Configuration Guide, Version 6.0, section “Licensing the Firepower System”

The debug crypto isakmp sa command shows the status of the Internet Security Association and Key Management Protocol (ISAKMP) security associations (SAs). The output of this command indicates that the ISAKMP negotiation failed after several retransmissions. The most likely cause of this failure is a mismatch in the authentication key between the two peers. The authentication key is specified by the crypto isakmp key command and must be the same on both routers. If the authentication key is different, the ISAKMP messages cannot be decrypted and verified by the peers, resulting in an error. To fix this problem, the network administrator should verify and correct the authentication key on both routers and clear the existing ISAKMP SAs with the clear crypto isakmp sa command. References: 1, 2, 3, 4

Explanation

TAXII (Trusted Automated Exchange of Indicator Information) is a standard that provides a transport

Posture is a service in Cisco ISE that checks the compliance of endpoints with corporate security policies before allowing them to connect to the network. Posture policies define the requirements that endpoints must meet to be compliant, such as having antivirus software installed and updated, or having a specific registry key value. If an endpoint is compliant, Cisco ISE can apply a Change of Authorization (CoA) to grant it access to the network resources. CoA is a mechanism that allows Cisco ISE to dynamically change the authorization attributes of an existing session, such as VLAN, dACL, or SGT, without requiring the user to reauthenticate. CoA can be triggered by various events, such as posture assessment results, profiling changes, or manual actions by the administrator. CoA can also be used to quarantine or disconnect non-compliant endpoints. Therefore, ensuring that an endpoint is compliant with a posture policy configured in Cisco ISE provides the benefit of allowing CoA to be applied if the endpoint status is compliant. References :=

• Cisco Identity Services Engine Administrator Guide, Release 2.2 - Configure Client Posture Policies
• Cisco Identity Services Engine Administrator Guide, Release 2.2 - Change of Authorization

Cisco ESA uses a multilayer approach to fight viruses and malware. The first layer of defense consists of outbreak filters, which the appliance downloads from Cisco SenderBase. Outbreak filters use global threat intelligence and behavioral analysis to identify and block emerging threats before they reach the network. The second layer of defense consists of antivirus engines, which scan the message body and attachments for known viruses and malware. Cisco ESA supports multiple antivirus engines, such as Sophos, McAfee, and Cisco AMP. The Sophos engine is one of the default engines that Cisco ESA uses, along with McAfee. The Sophos engine provides fast and accurate detection of viruses and malware, and updates its signatures frequently. The other options are not features that are used to configure Cisco ESA with a multilayer approach to fight viruses and malware. A white list is a list of trusted senders or recipients that are exempt from spam or virus filtering. RAT is the Recipient Access Table, which is used to determine whether the appliance accepts or rejects messages to a recipient address. DLP is Data Loss Prevention, which is used to prevent sensitive or confidential data from leaving the network. References :=

• Email Security Using Cisco ESA
• Demystifying Cisco ESA HAT, RAT Tables and Deployment Types
• Email Security Deployment Guide - Cisco

Active Directory (AD) is an ID store that requires that a shadow user be created on Cisco ISE for the admin login to work. A shadow user is a user account that is defined in the ISE internal database, but has the password set to external. This means that the user authentication is performed against an external identity source, such as AD, while the user authorization is based on the ISE admin group membership. A shadow user is useful when the admin wants to assign different roles or permissions to specific AD users, rather than using AD groups. To create a shadow user, the admin must check the External checkbox in the ISE admin user configuration, and make sure that the username matches the AD username. The shadow user must also be assigned to an ISE admin group that has the Type set to External123. References := 1: ISE Admin User Shadow AD Account Issue 2: ISE Admin user authentication from AD 3: Which ID store requires that a shadow user be created on Cisco ISE for the admin login to work?

 The application blocking list is an outbreak control method that allows the administrator to block certain files from executing on the endpoints based on their SHA values. This can prevent malware from running on the endpoints and causing damage. The other options are not outbreak control methods, but rather different features of AMP for endpoints. Device flow correlation is a network analysis feature that monitors connections and detects malicious activity. Simple detections and advanced custom detections are custom rules that can be created by the administrator to detect and block files based on signatures or other criteria. References:

• Configure Windows Policy in AMP for Endpoints - Cisco
• Prevent, Detect and Respond with Cisco AMP for Endpoints

 NetFlow is a protocol that collects and exports information about network traffic flows. NetFlow Version 9 is the latest version supported by the Cisco ASA 5500 Series firewall. To enable NetFlow on the ASA, you need to perform two main tasks: define a NetFlow collector and apply NetFlow exporter to an interface. A NetFlow collector is a device or application that receives and processes the NetFlow records sent by the ASA. You can define a NetFlow collector by using the flow-export command, which specifies the IP address, port number, and interface of the collector. A NetFlow exporter is a configuration that determines which traffic flows are monitored and exported by the ASA. You can apply NetFlow exporter to an interface by using the Modular Policy Framework (MPF), which allows you to create class maps and policy maps to match and act on interesting traffic. You can use the flow-export event-type option in the policy map to select the NetFlow events that you want to export. The other options (B, C, and D) are not required or correct for enabling NetFlow on the ASA. You do not need to create an ACL to allow UDP traffic on port 9996, because the ASA uses a random high port number to send NetFlow records to the collector. You do not need to apply NetFlow exporter to the outside interface in the inbound direction, because you can apply it to any interface and direction that you want to monitor. You do not need to create a class map to match interesting traffic, because the ASA monitors all traffic flows by default, unless you filter them by using the flow-export filters command. References:

• Cisco Secure Firewall ASA NetFlow Implementation Guide, section “About NSEL”
• Cisco Secure Firewall ASA NetFlow Implementation Guide, section “Configure NSEL Collectors (CLI)”
• Cisco Secure Firewall ASA NetFlow Implementation Guide, section “Configure Flow-Export Actions Through Modular Policy Framework”
• Configuring NetFlow on ASA with ASDM, section “Enabling NetFlow on ASA”

ExplanationStateful failover for IP Security (IPsec) enables a router to continue processing and forwarding IPsec packetsafter a planned or unplanned outage occurs. Customers employ a backup (secondary) router that automaticallytakes over the tasks of the active (primary) router if the active router loses connectivity for any reason. Thisfailover process is transparent to users and does not require adjustment or reconfiguration of any remote peer.Stateful failover for IPsec requires that your network contains two identical routers that are available to be eitherthe primary or secondary device. Both routers should be the same type of device, have the same CPU andmemory, and have either no encryption accelerator or identical encryption accelerators.Prerequisites for Stateful Failover for IPsec

ExplanationThe command “snmp-server user user-name group-name [remote ip-address [udp-port port]] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password]} [access access-list]” adds a new user (in this case “andy”) to an SNMPv3 group (in this case group name “myv3”) and configures a password for the user.In the “snmp-server host” command, we need to:+ Specify the SNMP version with key word “version {1 | 2 | 3}”+ Specify the username (“andy”), not group name (“myv3”).Note: In “snmp-server host inside …” command, “inside” is the interface name of the ASA interface through which the NMS (located at 10.255.254.1) can be reached.

ExplanationThe user “admin5” was configured with privilege level 5. In order to allow configuration (enter globalconfiguration mode), we must type this command:(config)#privilege exec level 5 configure terminalWithout this command, this user cannot do any configuration.Note: Cisco IOS supports privilege levels from 0 to 15, but the privilege levels which are used by default are privilege level 1 (user EXEC) and level privilege 15 (privilege EXEC)

Content Security is a term that encompasses various security features and solutions that protect the data and applications from threats such as malware, ransomware, phishing, data loss, and unauthorized access. Content Security includes products such as Cisco Email Security, Cisco Web Security, Cisco Cloudlock, and Cisco Umbrella. These products use the AsyncOS API, which is a RESTful API that allows administrators and developers to programmatically interact with the content security appliances and services. The AsyncOS API enables tasks such as configuration, reporting, monitoring, troubleshooting, and automation of content security policies and actions. The AsyncOS API is based on the HTTP protocol and uses JSON or XML as the data format. The AsyncOS API also supports authentication, authorization, rate limiting, and error handling mechanisms. The AsyncOS API documentation provides the details of the available resources, methods, parameters, and responses for each content security product. References :=

• Cisco Content Security Products
• AsyncOS API Overview
• AsyncOS API Documentation

1: https://www.cisco.com/c/en/us/products/security/content-security/index.html  2: https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-0/API/b_ESA_API_13_0_1/b_ESA_API_13_0_1_chapter_01.html  3: https://developer.cisco.com/docs/email-security/#!asyncos-api-overview

ExplanationExplanationCisco Umbrella protects users from accessing malicious domains by proactively analyzing and blocking unsafe destinations – before a connection is ever made. Thus it can protect from phishing attacks by blocking suspicious domains when users click on the given links that an attacker sent.

 IKEv1 is the authentication protocol that is reliable and supports ACK and sequence for IPsec VPN. IKEv1 is a key management protocol that is used in conjunction with IPsec to establish secure and authenticated connections between IPsec peers. IKEv1 uses UDP port 500 and consists of two phases: phase 1 and phase 2. In phase 1, the peers authenticate each other and negotiate a shared secret key that is used to encrypt the subsequent messages. In phase 2, the peers negotiate the security parameters for the IPsec tunnel, such as the encryption and authentication algorithms, the lifetime, and the mode (transport or tunnel). IKEv1 uses ACK and sequence numbers to ensure the reliability and integrity of the messages exchanged between the peers. ACK is an acknowledgment message that confirms the receipt of a previous message. Sequence number is a unique identifier that is assigned to each message to prevent replay attacks and to detect missing or out-of-order messages. IKEv1 also supports various authentication methods, such as pre-shared keys, digital certificates, and extended authentication (XAUTH). References : Internet Key Exchange for IPsec VPNs Configuration Guide, Security for VPNs with IPsec Configuration Guide, IPSec Architecture

Posture assessment is a feature of Cisco ISE that allows you to check the compliance of endpoints with corporate security policies before allowing them to access the network1. Posture assessment can detect missing patches on endpoints and help with remediation by applying the appropriate posture policy and requirement2. Posture assessment can also check for the presence and status of security software, such as antivirus, antispyware, firewall, and so on3. Posture assessment is one of the core security technologies covered in the Implementing and Operating Cisco Security Core Technologies (SCOR) course4, which prepares you for the Cisco CCNP Security and CCIE Security certifications and for senior-level security roles. References: 1: Posture Service 2: Configure Posture Policies 3: Posture Conditions 4: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0

Before identifying the URL during HTTPS inspection in Cisco Secure Firewall Threat Defense software, the default action is to "pass." This means that the traffic is allowed through without inspection until the URL can be identified, at which point appropriate security policies can be applied based on the URL categorization and reputation.

GETVPN and IPsec are both VPN technologies that use ESP (Encapsulating Security Payload) to encrypt and authenticate data packets. However, they differ in the following aspects:

• GETVPN uses a group IPSec security paradigm, which means that all group members share the same IPSec SA (Security Association) and can communicate with each other without having to establish point-to-point tunnels. IPsec, on the other hand, uses a pair-wise IPSec security paradigm, which requires each pair of devices to negotiate and maintain their own IPSec SAs and tunnels.
• GETVPN uses GDOI (Group Domain of Interpretation) as a key management protocol, which allows a Key Server (KS) to distribute the encryption keys and policies to all group members. IPsec uses IKE (Internet Key Exchange) as a key management protocol, which involves two phases of negotiation between each pair of devices to establish the IPSec SAs.
• GETVPN supports multicast traffic without the need for GRE (Generic Routing Encapsulation) tunneling, as it preserves the original IP header of the packet. IPsec does not support multicast traffic natively, and requires GRE tunneling to encapsulate the multicast packets with a new IP header.
• GETVPN relies on the underlying WAN routing to deliver the encrypted packets to the destination, as it does not create any overlay routing. IPsec creates an overlay routing, which may introduce additional latency and complexity.

References :=

Some possible references are:

• [Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0], Module 6: Secure Connectivity, Lesson 6.2: Implementing Site-to-Site VPNs, Topic 6.2.2: Group Encrypted Transport VPN
• Group Encrypted Transport VPN (GETVPN)
• GETVPN - Cisco Community
• Cisco Get VPN vs DMVPN: Difference and Comparison
• What is a difference between GETVPN and IPsec?

ExplanationDiffie Hellman (DH) uses a private-public key pair to establish a shared secret, typically a symmetric key. DH is not a symmetric algorithm – it is an asymmetric algorithm used to establish a shared secret for a symmetric key algorithm.

To enable a separated email transfer flow from the Internet and from the LAN, the engineer must use the two-interface deployment mode on the Cisco WSA. This mode allows the WSA to have two separate network interfaces, one for the Internet traffic and one for the LAN traffic. This way, the WSA can apply different policies and settings for each interface, and isolate the email flows from each other. The two-interface mode also provides better performance and security than the single-interface mode, which uses only one network interface for both Internet and LAN traffic12. The other deployment modes, such as multi-context, transparent, or single-interface, do not support a separated email transfer flow from the Internet and from the LAN. References:

• Two-interface mode, section “Deployment”.
• WSA network configuration, section “Interfaces”.

 OWASP stands for Open Web Application Security Project, a non-profit organization that provides resources for web application security. OWASP has developed a number of standards, projects, events, and news on topics such as web application security, supply chain security, and cyber risk mitigation1. One of the most widely recognized OWASP resources is the OWASP Top 10, a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications, such as broken access control, cryptographic failures, injection, and insecure design2. The OWASP Top 10 is updated periodically based on data analysis and community feedback. The latest edition was released in 20213. By following the OWASP Top 10 and other OWASP resources, developers can build more secure applications that minimize these risks. References := 1: OWASP Foundation, the Open Source Foundation for Application Security 2: OWASP Top Ten | OWASP Foundation 3: OWASP Top 10:2021

A teardrop attack is a type of DoS attack that uses fragmented packets in an attempt to crash a target machine. The attacker sends IP packets that are deliberately malformed, such that the fragments overlap or have invalid offsets. When the target machine tries to reassemble the packets, it encounters an error or a buffer overflow, resulting in a system crash or a denial of service. Teardrop attacks exploit a vulnerability in the TCP/IP fragmentation reassembly process, which is responsible for splitting and recombining large packets that exceed the maximum transmission unit (MTU) size. Teardrop attacks can affect various operating systems, such as Windows, Linux, and BSD, depending on the implementation of the TCP/IP stack. Teardrop attacks are also known as IP fragmentation attacks or overlapping fragment attacks. References:

• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 5: Securing the Cloud, Lesson 5.2: Cloud Security Threats, Topic 5.2.2: DoS Attacks
• What is an IP Fragmentation Attack (Teardrop ICMP/UDP)
• Teardrop Attack - Radware
• What Is a Teardrop Attack? | F5

https://www.cisco.com/c/en/us/t d/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/access_control_using_intrusion_and_file_policies.html#:~:text=File%20Policies-,Access%20Control%20Traffic%20Handling%20with%20Intrusion%20and%20File%20Policies,-The%20following%20diagram

the first three access control rules in the policy—Monitor, Trust, and Block—cannot inspect matching traffic. Monitor rules track and log but do not inspect network traffic, so the system continues to match traffic against additional rules to determine whether to permit or deny it

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/access_control_rules.html#:~:text=Rule%20Blocking%20Actions-,Access%20Control%20Rule%20Allow%20Action,network%20discovery%20policy%3B%20additionally%2C%20application%20discovery%20is%20limited%20for%20encrypted%20sessions.,-Related%20Concepts

One of the benefits of a Cisco Secure Email Gateway Virtual appliance compared to a physical one is the ability to allocate additional resources as needed. Virtual appliances can be easily scaled up by allocating more CPU, memory, or storage resources, providing flexibility and scalability in response to changing demands or growth.

Cross-site scripting (XSS) is the method of attack that is used by a hacker to send malicious code through a web application to an unsuspecting user to request that the victim’s web browser executes the code. XSS is a type of injection attack that exploits the lack of input validation or output encoding in a web application. An attacker can craft a malicious script and embed it in a web page or a URL that is sent to the user. When the user visits the web page or clicks the URL, the script is executed by the user’s browser, which may not be able to distinguish it from legitimate code. The script can then perform various actions, such as stealing cookies, session tokens, or other sensitive information, redirecting the user to a malicious site, or performing actions on behalf of the user12. The other options are not correct, because they are not methods of attack that use web applications to execute malicious code on the user’s browser. Buffer overflow is a type of attack that exploits a memory vulnerability in a program or system, where an attacker can overwrite the memory beyond the allocated buffer and execute arbitrary code3. Browser WGET is a command-line tool that can be used to download files from the web, but it is not an attack method by itself4. SQL injection is a type of attack that exploits a database vulnerability in a web application, where an attacker can inject malicious SQL statements into a user input field and execute them on the database server5. References:

• 1: What is Cross-Site Scripting (XSS)? - Cisco
• 2: Cross-Site Scripting (XSS) - OWASP
• 3: What is a Buffer Overflow? - Cisco
• 4: GNU Wget 1.21.1 Manual
• 5: What is SQL Injection (SQLi)? - Cisco

A destination list is a list of internet destinations: domains, URLs, and CIDRs. To control identity access to specific destinations, you can add destination lists to Umbrella and then select them when configuring your Web and DNS policies12. When you add or edit a destination list, the changes are applied immediately if the destination list is part of a policy3. This means that any identities that are associated with the policy will be affected by the changes in the destination list. You do not need to save the configuration or remove the destination list from the policy to apply the changes. However, you do need to have the appropriate user role to manage destination lists. The user role of Block Page Bypass or higher is needed to perform these changes4. References :=

• Manage Destination Lists - Umbrella User Guide
• Manage Destination Lists - Umbrella SIG User Guide
• Add a Destination List - Umbrella User Guide
• Add a DNS Destination List - Umbrella SIG User Guide

 The RADIUS CoA feature supports the IETF attribute 24 State, which is used to identify the session for which the CoA request is intended. The State attribute is sent by the device in the Access-Accept message and must be echoed back by the RADIUS server in the CoA-Request message. The other attributes are not supported for the RADIUS CoA feature.

To understand the concept of RADIUS CoA and the supported attributes, you can refer to the following sections of the source book:

• Section 1.1.2: Describe the concepts of network security
• Section 1.1.2.6: Describe the concepts of RADIUS CoA
• Section 1.1.2.7: Describe the concepts of supported IETF attributes

References:

• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0
• RADIUS Change of Authorization - Cisco
• RADIUS attribute for change of authorization - Ruckus Networks

Cisco Stealthwatch is a security solution that uses NetFlow to provide visibility across the network, data center, branch offices, and cloud. NetFlow is a protocol that collects and exports statistics on network traffic flows from routers, switches, firewalls, and other devices. NetFlow data can be used to monitor network performance, troubleshoot issues, detect anomalies, and identify security threats. Cisco Stealthwatch analyzes NetFlow data from various sources and correlates it with other contextual information, such as identity, device, location, and threat intelligence. Cisco Stealthwatch then applies advanced behavioral analytics and machine learning to detect and respond to malicious activities, such as data exfiltration, malware infection, insider threats, and denial-of-service attacks. Cisco Stealthwatch also provides comprehensive network visibility and security across hybrid environments, including public cloud, private cloud, and on-premises networks. Cisco Stealthwatch can integrate with other Cisco security solutions, such as Cisco Identity Services Engine (ISE), Cisco Firepower, Cisco Umbrella, and Cisco Advanced Malware Protection (AMP), to enhance network security and incident response capabilities. References:

• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 8: Cloud and Virtual Network Security, Lesson 8.2: Cisco Stealthwatch Cloud
• Cisco Stealthwatch
• NetFlow for Cybersecurity and Incident Response

B

 The error 403: Forbidden indicates that the web server denied access to the requested resource, which in this case is the PCAP file. One possible reason for this error is that the HTTPS server is not enabled for the device platform policy, which is a configuration that applies to the FTD devices managed by the FMC. The device platform policy defines the settings for the management interface, the SSH access, the SNMP, the NTP, the DNS, and the HTTPS server. The HTTPS server allows the FMC to access the FTD devices via HTTPS and perform tasks such as packet capture, packet tracer, and file transfer. If the HTTPS server is not enabled for the device platform policy, the FMC cannot access the PCAP file from the FTD device via HTTPS. Therefore, the engineer must enable the HTTPS server for the device platform policy in order to resolve this issue. To enable the HTTPS server for the device platform policy, the engineer must follow these steps:

• Log in to the FMC web interface and navigate to Devices > Platform Settings.
• Select the device platform policy that applies to the FTD device and click Edit.
• In the General tab, check the Enable HTTPS Server checkbox and click Save.
• Deploy the policy changes to the FTD device and wait for the deployment to complete.
• Try to access the PCAP file again from the FMC web browser using the same address.

Alternatively, the engineer can also enable the HTTPS server for the FTD device from the FTD CLI using the command configure network https-server enable. However, this method is not recommended because it may cause a configuration conflict with the FMC123

References := 1: Use Firepower Threat Defense Captures and Packet Tracer - Cisco 2: Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.6 - Device Management Basics [Cisco Firepower NGFW] - Cisco 3: Cisco Firepower Threat Defense Command Reference - C through D Commands [Cisco Firepower NGFW] - Cisco

 The configuration snippet in the image is a part of IKEv2 configuration where the name mangler is associated with the organizational unit (OU) “MANGLER”. In Cisco’s IKEv2 implementation, this specific configuration means that only an IKEv2 peer whose certificate has an OU attribute set to “MANGLER” can establish an IKEv2 Security Association successfully. This is a method of ensuring that only peers with certificates issued to a specific organizational unit can connect, enhancing security by limiting unauthorized access. The name mangler is a feature that allows the administrator to specify a string that must be present in the peer’s certificate for authentication. The name mangler can be applied to any certificate field, such as common name (CN), organization (O), or OU. The name mangler can also be used to modify the peer’s identity based on the certificate field, such as appending or prepending a string to the identity. The name mangler is configured under the IKEv2 profile using the command crypto ikev2 profile profile-name identity name-mangler name-mangler-name dn field-name. In this case, the name mangler is applied to the OU field of the peer’s certificate. The other options are incorrect because they do not describe the effect of the name mangler configuration. Option A is incorrect because the name mangler does not affect the identity matching for the IKEv2 authorization policy. The identity matching is based on the peer’s identity type and value, which can be different from the certificate field. Option C is incorrect because the name mangler does not encrypt the OU field of the peer’s certificate. The OU field is part of the certificate’s subject, which is not encrypted in the IKEv2 messages. Option D is incorrect because the name mangler does not set the OU field of the peer’s certificate. The OU field is determined by the certificate authority (CA) that issues the certificate, and the name mangler only verifies or modifies the peer’s identity based on the OU field. References : Configuring Internet Key Exchange Version 2, Internet Key Exchange Version 2 CLI Constructs, Tutorial: Setting up a certificate-based IKEv2 VPN connection (RSA)

 Cisco Duo is a multi-factor authentication (MFA) solution that verifies the identity of all users with Duo’s easy, one-tap-approval MFA app. It also provides device visibility and adaptive policies to ensure that only trusted devices can access corporate applications and networks. Some of the benefits of using Cisco Duo as an MFA solution are:

• It provides a simple and streamlined login experience for multiple applications and users. Users can access all their applications from a single dashboard, and authenticate with a simple push notification or other convenient methods. Duo also supports single sign-on (SSO) for integrated applications, reducing the need for multiple passwords and logins12.
• It offers native integration that helps secure applications across multiple cloud platforms or on-premises environments. Duo can be easily integrated with most major apps and custom applications, enabling a secure access solution that can be implemented with minimal IT involvement. Duo also supports various protocols and standards, such as SAML, RADIUS, LDAP, and WebAuthn, to enable seamless integration with different environments13.

References: 1: Multi-Factor Authentication (MFA) | Duo Security 2: Multi-Factor Authentication (MFA) | Duo Security - Cisco 3: What Is Duo? Two-Factor Authentication From Cisco - Cisco

Endpoint-based security is the solution for performing signature-based application control, which is a method of identifying and blocking malicious applications based on their signatures or hashes. Signature-based application control is one of the features of endpoint security solutions, such as Cisco AMP for Endpoints1, that protect endpoints from known and unknown threats. Endpoint security solutions can also perform other functions, such as behavioral analysis, sandboxing, machine learning, and threat hunting, to provide comprehensive protection, detection, and response on the endpoint2. The other options are not scenarios where endpoint-based security is the solution. Inspecting encrypted traffic requires a network-based security solution, such as Cisco SSL Appliance3, that can decrypt and inspect the traffic for malicious content. Device profiling and authorization requires a network access control solution, such as Cisco Identity Services Engine4, that can identify and authenticate devices and users and enforce policies based on their roles and contexts. Inspecting a password-protected archive requires a file analysis solution, such as Cisco Threat Grid5, that can extract and analyze the contents of the archive for malware and indicators of compromise. References :=

• Cisco AMP for Endpoints
• What is Endpoint Security? How Does It Work?
• Cisco SSL Appliance
• Cisco Identity Services Engine
• Cisco Threat Grid

Cisco AMP (Advanced Malware Protection) is a technology that provides a combination of endpoint protection, endpoint detection, and response. Cisco AMP protects endpoints from malware and other threats by using multiple prevention engines, including signatures, machine learning, and file reputation. Cisco AMP also continuously monitors and analyzes endpoint activity to detect malicious behavior and indicators of compromise. Cisco AMP can respond to threats by blocking, isolating, or removing malicious files, processes, or devices across the network. Cisco AMP leverages the cloud-based intelligence of Cisco Talos and Cisco Threat Grid to provide global threat visibility and analysis. Cisco AMP can also integrate with Cisco Umbrella and other security solutions to provide a comprehensive and unified approach to endpoint security. References:

• Cisco Secure Endpoint (Formerly AMP for Endpoints)
• Prevent, Detect and Respond with Cisco AMP for Endpoints
• Provide State-of-the-Art Endpoint Protection as a Managed Service

 Tools like Jenkins, Octopus Deploy, and Azure DevOps provide continuous integration and continuous deployment (CI/CD) capabilities for application and infrastructure automation. CI/CD is a process that enables developers to deliver code changes more frequently and reliably by automating the building, testing, and deployment stages. CI/CD tools help to integrate various components of the software delivery pipeline, such as source control, testing frameworks, configuration management, security scanning, and deployment platforms. By using CI/CD tools, developers can achieve faster feedback loops, improved quality, reduced errors, and increased efficiency123.

According to the Cisco course on Implementing and Operating Cisco Security Core Technologies (SCOR), CI/CD is one of the key concepts of DevSecOps, which is a culture and practice that aims to embed security into every stage of the software development lifecycle. DevSecOps requires collaboration and communication between development, security, and operations teams, as well as the use of automation tools and techniques to ensure security is integrated throughout the process45. References: 1: Configuring Jenkins in Azure and deploying with Octopus 2: Octopus Deploy vs. Azure DevOps (VSTS/TFS) 3: Building .NET Core Apps in Azure DevOps and integrating Octopus Deploy 4: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 5: 350-701 SCOR - Cisco

Application visibility and control (AVC) is a solution that leverages multiple technologies to recognize, analyze, and control over 1000 applications, including voice and video, email, file sharing, gaming, peer-to-peer (P2P), and cloud-based applications1. One of the key components of AVC is application recognition, which uses stateful deep packet inspection (DPI) to identify applications within the network traffic flow, using L3 to L7 data2. DPI is a technique that examines the content of packets beyond the header information, and can classify applications based on their signatures, protocols, ports, or other attributes3. DPI enables AVC to monitor and control application performance, bandwidth usage, quality of service, and security policies4. References := 1: Cisco Application Visibility and Control (AVC) - Cisco 2: Cisco Application Visibility and Control User Guide - Technology Overview 3: What is application visibility and control? | Juniper Networks US 4: Application visibility and control - Secure Internet Access Enterprise

Web usage controls are a feature of Cisco Web Security Appliance (WSA) that allow administrators to define and enforce policies for web access based on URL categories. URL categories are groups of websites that share a common theme or content, such as news, sports, entertainment, etc. Cisco WSA uses the Cisco Dynamic Content Analysis Engine and the Talos Security Intelligence and Research Group to provide accurate and up-to-date URL categorization. Administrators can use the web usage controls to allow, block, warn, or monitor web requests based on the URL category of the destination website. They can also create custom URL categories to include or exclude specific domains or URLs from the predefined categories. Web usage controls help administrators to control web traffic, enhance security, improve productivity, and comply with regulatory and organizational requirements. References :=

Some possible references are:

• Web Usage Controls - Cisco Web Security Appliance User Guide, Cisco
• Cisco Web Usage Control Filtering Categories Data Sheet, Cisco
• Define Custom URL Categories in WSA, Cisco

An application that does not validate user input is particularly susceptible to SQL injection attacks. In an SQL injection attack, an attacker can insert or "inject" a SQL query via the input data from the client to the application. Due to the lack of validation, the malicious SQL commands are executed by the database server, leading to unauthorized access or manipulation of the database.

• Transparently identify users with authentication realms – This option is available when one or more authentication realms are configured to support transparent identification using one of the following authentication servers:

Details:

https://www.cisco.c om/c/en/us/td/docs/security/wsa/wsa11-0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_01001.html#:~:text=Transparently%20identify%20users%20with%20authentication,User%20Identification%20with%20LDAP.

 Intelligent Multi-Scan (IMS) is a feature that enables the Cisco ESA to perform multiple anti-spam scans on each message and apply different actions based on the results. IMS also includes the Graymail Detection and Safe Unsubscribe services, which allow the ESA to identify and filter messages that are not strictly spam, but are low-priority or unwanted by the end user, such as newsletters, social media notifications, or marketing emails. The Graymail Detection service can classify messages into different categories, such as bulk, mass, or subscription, and assign different scores and verdicts to them. The Safe Unsubscribe service can provide a link for the end user to safely unsubscribe from the sender’s mailing list, without revealing their email address or opening a malicious URL. To enable the blocking of greymail for the end user, the administrator must first enable the IMS feature globally and then configure the Graymail and Safe Unsubscribe settings in the mail policies. The administrator can also enable the centralized spam quarantine and the end-user quarantine interface to allow the end user to manage their own quarantined messages. References :=

• Best Practice Guide for Anti-Spam, Anti-Virus, Graymail and Outbreak Filters
• Graymail Detection and Safe Unsubscribing Functionality

When the Cisco Secure Firewall downloads threat intelligence updates from Cisco Talos, it is engaged in "consumption." This term refers to the process of receiving and utilizing threat intelligence data to enhance security measures. Cisco Talos provides comprehensive threat intelligence that Cisco Secure Firewall consumes to update its threat detection and prevention capabilities.

 TACACS+ is a protocol that provides authentication, authorization, and accounting (AAA) services for network devices. Unlike RADIUS, which only supports authorization at the user level, TACACS+ supports authorization at the command level. This means that TACACS+ can verify the permissions of the network administrator for every command that is entered, and allow or deny access accordingly. This provides more granular and secure control over network resources and operations. EAPOL, SSH, and RADIUS are not protocols that can provide command-level authorization for AAA. References :=

Some possible references are:

• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Security Concepts, Lesson 1.2: Network Security Devices and Cloud Services, Topic 1.2.3: AAA
• 350-701 SCOR - Cisco, Exam Topics, 1.0 Security Concepts, 1.2 Compare network security solutions, 1.2.a AAA
• What Is AAA Security? | Fortinet, Authentication, Authorization, and Accounting (AAA)

The access control rule in the exhibit has the following characteristics:

• The rule name is DMZ_Rule and it is enabled.
• The action set for this rule is Trust, meaning traffic matching this rule will not be subjected to further inspection.
• The source zones are not specified, meaning any zone can match this rule.
• The destination zone is DMZ_Inside, meaning only traffic destined to this zone can match this rule.

Therefore, the effect of this rule is that all traffic from any zone to the DMZ_Inside zone will be permitted with no further inspection. This is the correct answer, option A.

The other options are incorrect because they do not match the configuration of the rule or the behavior of the Trust action. Option B is incorrect because traffic will be allowed through to the DMZ_Inside zone, not blocked. Option C is incorrect because traffic will not be inspected before being allowed to the DMZ_Inside zone. Option D is incorrect because traffic does not need to be trusted to be allowed to the DMZ_Inside zone. References:

• Firepower Management Center Configuration Guide, Version 6.6 - Access Control Rules
• Firepower Management Center Device Configuration Guide, 7.1 - Access Control Policies
• How to Deploy FMC/FTD part 2 – Access Control Policies

 Cisco ISE is a solution that allows an administrator to provision, monitor, and secure mobile devices on Windows and Mac computers from a centralized dashboard. Cisco ISE integrates with Mobile Device Management (MDM) servers to provide necessary insight into the posture of mobile devices and enforce network access policies. Cisco ISE can also perform device registration, remediation, and periodic compliance checks on mobile devices. Cisco ISE can also issue remote actions on the device through the MDM server, such as full wipe, corporate wipe, and PIN lock. Cisco ISE can also augment endpoint data with information from the MDM server that cannot be gathered using the Cisco ISE profiling services. References:

• Integrate XenMobile Mobile Device Management (MDM) with Cisco Identity Services Engine (ISE)
• Cisco Identity Services Engine Administrator Guide, Release 2.4 - Mobile Device Manager Interoperability with Cisco ISE
• Cisco ISE Integration with Mobile Device Management (MDM)

Southbound APIs are used to communicate between the SDN Controller and the switches and routers of the network. They can be open-source or proprietary. They facilitate control over the network and enable the SDN Controller to dynamically make changes according to real-time demands and needs. OpenFlow and OpFlex are two examples of southbound APIs. OpenFlow, which was developed by the Open Networking Foundation (ONF), is the first and probably most well-known southbound interface. OpenFlow defines the way the SDN Controller should interact with the forwarding plane to make adjustments to the network, so it can better adapt to changing business requirements. With OpenFlow, entries can be added and removed to the internal flow-table of switches and routers to make the network more responsive to real-time traffic demands. OpFlex, which was proposed by Cisco, is another southbound interface that uses a declarative model to communicate policies and state between the controller and the network devices. OpFlex allows the network devices to retain some intelligence and autonomy, while still being managed by the controller. OpFlex is designed to be flexible and extensible, and can support different types of network devices and services. Services running over the network, external application APIs, and applications running over the network are not southbound APIs, as they do not directly communicate between the controller and the network devices. Therefore, the correct answer is B and E. References :=

Some possible references are:

• What are SDN Southbound APIs? - Where they are used. - SDxCentral
• SDN North-bound and South-bound APIs and Interfaces
• Cisco Application Centric Infrastructure Fundamentals

A network administrator can transparently identify users using Active Directory on the Cisco WSA in two ways:

• Create NTLM or Kerberos authentication realm and enable transparent user identification. This option allows the WSA to use the NTLM or Kerberos protocol to authenticate users without prompting them for credentials. The WSA must join the Active Directory domain and have a valid service principal name (SPN) for this option to work1.
• Deploy a separate Active Directory agent such as Cisco Context Directory Agent (CDA). This option allows the WSA to receive user-to-IP mappings from the CDA, which monitors the Active Directory domain controllers for user logon events. The CDA must be installed on a Windows server and have access to the domain controllers and the WSA2.

The other options are not ways to transparently identify users using Active Directory on the Cisco WSA. Creating an LDAP authentication realm and disabling transparent user identification will require users to enter their credentials manually. Installing the eDirectory client on each client workstation or deploying a separate eDirectory server are not related to Active Directory, but to Novell eDirectory, which is a different directory service3.

References := 1: User Guide for AsyncOS 11.0 for Cisco Web Security Appliances, Chapter: Acquire End-User Credentials, Topic: Active Directory/Kerberos, page 4-3. 2: User Guide for AsyncOS 11.0 for Cisco Web Security Appliances, Chapter: Acquire End-User Credentials, Topic: Active Directory Agent, page 4-5. 3: User Guide for AsyncOS 11.0 for Cisco Web Security Appliances, Chapter: Acquire End-User Credentials, Topic: eDirectory, page 4-8.

The Cisco Endpoint IoC feature is a powerful incident response tool for scanning of post-compromise indicators across multiple computers. Endpoint IoCs are imported through the console from OpenIOC-based files written to trigger on file properties such as name, size, hash, and other attributes and system properties such as process information, running services, and Windows Registry entries. The IoC syntax can be used by incident responders to find specific artifacts or use logic to create sophisticated, correlated detections for families of malware. Endpoint IoCs have the advantage of being portable to share within your organization or in industry vertical forums and mailing lists. The Endpoint IoC scanner is available in AMP for Endpoints Windows Connector versions 4 and higher. Running Endpoint IoC scans may require up to 1 GB of free drive space. The Endpoint IoC feature is based on the openioc.com framework, which is an open standard for sharing threat intelligence. References:

• Cisco Endpoint IOC Attributes, User Guide
• What Are Indicators of Compromise (IOC)? - Cisco, Security Indicators of Compromise
• General questions about AMP - Cisco Community, Post by Cisco Employee

Northbound and southbound APIs are two types of interfaces that enable communication between different layers of the SDN architecture. Northbound APIs relay information between the controller and the applications or policy engines, while southbound APIs relay information between the controller and the network devices.

Northbound APIs allow applications to request network services or resources from the controller, such as bandwidth, latency, security, or routing. The controller then translates these requests into network configurations and applies them to the network devices via the southbound APIs. Northbound APIs typically use RESTful API methods such as GET, POST, and DELETE to communicate with the controller.

Southbound APIs allow the controller to program the network devices to perform forwarding and other functions. The controller can use different protocols or standards to communicate with the network devices, depending on their capabilities and vendor-specific features. Some common examples of southbound APIs are CLI, SNMP, RESTCONF, NETCONF, OpenFlow, and OpFlex.

References:

• Software-Defined Networking (SDN) Definition - Cisco
• Software-Defined Networking Security and Network … - Cisco Press
• Cisco SDN – Software Defined Networking Explained - Study-CCNA
• SDN Network - Cisco Community

Full Context Awareness - policy enforcement

NGIPS - threat prevention

AMP - real-time

Collective Sec Intel - Detection, blocking an remediation

Cisco ISE and pxGrid use the IETF (Internet Engineering Task Force) standards to integrate with each other and with other interoperable security platforms. IETF is an open, international community of network designers, operators, vendors, and researchers who produce voluntary standards for the Internet. Cisco pxGrid is based on the IETF standards-track XMPP (Extensible Messaging and Presence Protocol) and RESTCONF (Representational State Transfer Configuration Protocol) technologies. These standards enable Cisco pxGrid to provide a scalable, secure, and open data-sharing platform that supports multiple security products and services. Cisco ISE uses the IETF standards-track RADIUS (Remote Authentication Dial-In User Service) and TACACS+ (Terminal Access Controller Access-Control System Plus) protocols to provide network access control and policy enforcement. Cisco ISE also supports the IETF standards-track SXP (Security Group Tag eXchange Protocol) to propagate security group tags across the network. By using the IETF standards, Cisco ISE and pxGrid can interoperate with other security platforms that support the same standards, such as Infoblox, Splunk, Rapid7, and more. References:

• Cisco pxGrid - Cisco
• ISE pxGrid General Information & FAQ - Cisco Community
• How To: Integrate Cisco WSA using ISE and TrustSec via pxGrid
• Infoblox DDI, Cisco ISE, and the pxGrid Solution Platform

Cisco Stealthwatch Cloud is a network detection and response (NDR) solution that leverages pre-existing infrastructure to offer enterprise-wide, contextual visibility of network traffic from the private network to the public cloud1. It uses advanced analytics and machine learning to detect threats and anomalies across on-premises and cloud environments, and provides actionable alerts and recommendations to remediate them2. Cisco Stealthwatch Cloud is part of Cisco’s XDR strategy, which converges its deep expertise and visibility across the network and endpoints into one turnkey, risk-based solution3. References: 3: Cisco Unveils New Solution to Rapidly Detect Advanced Cyber Threats and Automate Response 2: Cisco Secure Network Analytics - Cisco 1: Cisco Stealthwatch and Cisco Tetration Workload Security

The ip radius source-interface command is needed for this configuration because it forces RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets. This ensures that the RADIUS server can identify the source of the requests and apply the appropriate policies. If this command is not used, RADIUS will use the IP address of the interface that is closest to the destination, which may not match the configured NAS IP on the RADIUS server. This can cause the RADIUS server to reject the requests as unauthorized12. References:

• 1: RADIUS source interface - Cisco Community
• 2: RADIUS Commands - Cisco

Microsegmentation is a technology that limits communication between nodes on the same network segment to individual applications by creating secure zones across cloud and data center environments. Microsegmentation isolates application workloads from one another and secures them individually with granular firewall policies based on a zero-trust security approach1. Microsegmentation can reduce the attack surface, prevent the lateral movement of threats, and strengthen regulatory compliance1.

Serverless infrastructure is a technology that allows developers to run code without provisioning or managing servers2. Serverless infrastructure does not limit communication between nodes on the same network segment to individual applications, but rather abstracts away the underlying infrastructure from the application logic.

SaaS deployment is a technology that delivers software applications over the internet as a service3. SaaS deployment does not limit communication between nodes on the same network segment to individual applications, but rather provides access to software applications from any device and location.

Machine-to-machine firewalling is a technology that controls the communication between machines or devices on a network. Machine-to-machine firewalling does not limit communication between nodes on the same network segment to individual applications, but rather applies rules to the traffic between machines or devices based on their IP addresses, ports, protocols, or other criteria.

References :=

• What Is Micro-Segmentation? - Cisco
• What is serverless?
• What is SaaS?
• [Machine-to-Machine Firewalling]

Group Encrypted Transport VPN (GET VPN) is used to implement secure VPN connectivity among company branches over a private IP cloud with any-to-any scalable connectivity. GET VPN provides a way to encrypt traffic between sites without the need for point-to-point tunnels, supporting efficient, scalable, and secure communication across a broad network infrastructure.

To add a device into Cisco DNA Center with the native API, the POST method and the name attribute are required. The POST method is used to create a new resource on the server, such as a device. The name attribute is used to specify the hostname or IP address of the device to be added. The POST method requires a JSON body that contains the device information, such as the name, type, role, credentials, and other optional parameters. The Cisco DNA Center API documentation provides an example of the JSON body and the response for adding a device1. The Cisco DNA Center Platform User Guide also explains how to use the native API to add devices2. References := 1: Cisco DNA Center API Documentation - Add Device 2: Cisco DNA Center Platform User Guide, Release 2.3.5 - Manage Devices Using the Native API

VMware APIC is a platform that integrates with Cisco ACI to provide enhanced visibility, policy integration and deployment, and security policies with access lists. VMware APIC is a virtual appliance that runs on VMware vSphere and communicates with the Cisco APIC controller. VMware APIC allows administrators to create and manage Cisco ACI policies for VMware virtual machines and networks. VMware APIC also provides a unified view of the physical and virtual network topology, health, and statistics. VMware APIC supports the following modes of Cisco ACI and VMware integration:

• VMware VDS: When integrated with Cisco ACI, the VMware vSphere Distributed Switch (VDS) enables administrators to configure VM networking in the ACI fabric.
• Cisco ACI Virtual Edge: Cisco ACI Virtual Edge is a distributed service that provides Layer 4 to Layer 7 services for applications running on VMware vSphere.
• Cisco Application Virtual Switch (AVS): Cisco AVS is a distributed virtual switch that provides policy-based network services for VMware vSphere environments. References:
• Cisco ACI with VMware VDS Integration
• Cisco ACI and VMware NSX-T Data Center Integration
• Cisco ACI and VMware: The Perfect Pair
• Setting the Record Straight: Confusion about ACI on VMware Technologies

Asymmetric encryption, also known as public key cryptography, uses two different keys for encryption and decryption: a public key and a private key. The public key can be shared with anyone, while the private key must be kept secret. Data encrypted with the public key can only be decrypted with the private key, and vice versa. This ensures that only the intended recipient can access the encrypted data, and that the sender can prove their identity with a digital signature. Asymmetric encryption is widely used for securing Internet communications, such as TLS/SSL, which enables HTTPS. Some examples of asymmetric encryption algorithms are RSA, Diffie-Hellman, and Elliptic Curve Cryptography. The other options are not correct because they do not use a public key and private key. Symmetric encryption uses the same key for encryption and decryption, and is faster and more efficient than asymmetric encryption. However, symmetric encryption requires a secure way to exchange the key between the sender and the receiver, which can be facilitated by asymmetric encryption. Linear and nonlinear encryption are not types of encryption, but rather properties of encryption algorithms. A linear encryption algorithm is one that can be expressed as a linear function, such as XOR. A nonlinear encryption algorithm is one that involves more complex mathematical operations, such as modular arithmetic or S-boxes. Nonlinear encryption algorithms are generally more secure and resistant to cryptanalysis than linear encryption algorithms. References :=

• Public-key cryptography - Wikipedia
• How does public key cryptography work? - Cloudflare
• Public and private encryption keys | PreVeil
• AES encryption, what are public and private keys?

The Cisco Identity Services Engine (ISE) posture module provides a service that allows you to check the compliance of endpoints with corporate security policies. This service consists of three main components: client provisioning, posture policy, and authorization policy. Client provisioning ensures that the endpoints receive the appropriate posture agent, such as the AnyConnect ISE Posture Agent or the Network Admission Control (NAC) Agent. Posture policy defines the conditions and requirements that the endpoints must meet to be considered compliant, such as having the latest antivirus updates or patches installed. Authorization policy determines the level of network access granted to the endpoints based on their posture assessment results, such as allowing full access, limited access, or quarantine.

The two actions that the Cisco ISE posture module provides that ensure endpoint security are:

• The latest antivirus updates are applied before access is allowed. This action prevents malware infections and protects the network from potential threats. The posture policy can include predefined or custom conditions that check the antivirus status of the endpoints, such as the product name, version, definition date, and scan result. If the endpoint does not meet the antivirus requirement, the posture agent can trigger a remediation action, such as launching the antivirus update or scan, before allowing network access.
• Patch management remediation is performed. This action ensures that the endpoints have the latest security patches installed and are not vulnerable to known exploits. The posture policy can include predefined or custom conditions that check the patch status of the endpoints, such as the operating system, service pack, hotfix, or update. If the endpoint does not meet the patch requirement, the posture agent can trigger a remediation action, such as redirecting the endpoint to a patch management server or launching the patch installation, before allowing network access.

References :=

• Cisco Identity Services Engine Administrator Guide, Release 2.2 - Configure Client Posture Policies
• Configuring posture services with the Cisco Identity Services Engine
• Cisco Identity Services Engine Administrator Guide, Release 2.0 - Posture Policy

This is a type of Outbreak Control list that allows the administrator to create a list of files based on their SHA-256 hash values that will be detected, blocked, and quarantined by the AMP for Endpoints connectors. The Simple Custom Detection list can be applied to a policy and synchronized with the devices that have the AMP connectors installed. This way, the administrator can prevent the execution of specific files without having to quarantine them on the devices.

The other options are incorrect because:

• Advanced Custom Detection is a type of Outbreak Control list that allows the administrator to create custom rules based on file attributes, such as file name, size, path, or parent process. These rules can be used to detect and block files that match certain criteria, but they cannot be used to quarantine them.
• Blocked Application is a type of Outbreak Control list that allows the administrator to create a list of applications based on their SHA-256 hash values that will be blocked from running on the devices that have the AMP connectors installed. However, this list does not detect or quarantine the applications, only prevents them from executing.
• Isolation is a feature of AMP for Endpoints that allows the administrator to isolate a device from the network if it is compromised by malware. This prevents the device from communicating with other devices or the internet, but does not affect the files on the device.

References:

• https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/215176-configure-a-simple-custom-detection-list.html
• https://community.cisco.com/t5/endpoint-security/block-list-data-source-in-cisco-amp/td-p/4077205
• https://community.cisco.com/t5/security-videos/amp4e-outbreak-control/ba-p/4071894

A cloud access security broker (CASB) is a security solution that helps protect cloud-hosted services and applications from cyberattacks and data breaches. A CASB acts as an intermediary between cloud users and cloud providers, and enforces the organization’s security policies and compliance requirements. A CASB integrates with other cloud solutions via APIs and monitors the cloud activity and data across multiple platforms and devices. A CASB can also create incidents based on events from the cloud solution, such as unauthorized access, data leakage, malware infection, or policy violation. A CASB can then alert the administrators, block the malicious actions, or remediate the issues. A CASB provides visibility, control, and protection for the organization’s cloud environment12.

References :=

• What Is a Cloud Access Security Broker (CASB)? | Microsoft
• What is a CASB Cloud Access Security Broker? - CrowdStrike

The Secure Event Connector is a component of the Security Analytics and Logging (SaaS) solution that enables the FMC to send logs to the cloud-based service. The Secure Event Connector uses syslog to forward events from the FMC and the managed devices to the cloud. This method reduces the load on the firewall resources, as the events are sent in batches and compressed before transmission. The Secure Event Connector also provides encryption, authentication, and reliability for the log data. The other methods are not supported by the Security Analytics and Logging (SaaS) solution12 References := 1: Cisco Security Analytics and Logging (On Premises)

The Cisco DNA Center RESTful PNP API allows external applications to interact with the Plug and Play (PNP) service of Cisco DNA Center, which automates the onboarding and provisioning of network devices. The PNP API has several endpoints for different operations, such as importing, claiming, updating, and deleting devices. The endpoint that adds and claims a device into a workflow is api/v1/onboarding/pnp-device/import, which takes a JSON payload with the device information and the workflow ID. This endpoint creates a new device entry in the PNP database and associates it with the specified workflow. The workflow defines the configuration template, image, and license to be applied to the device during the provisioning process12. References:

• 1: See How to Use the Plug and Play API in DNA Center – Part 2
• 2: Cisco DNA Center Platform User Guide, Release 2.2.3

 SNMP (Simple Network Management Protocol) is the most commonly used protocol for network telemetry. SNMP is a standard protocol that allows network devices to exchange management information1. SNMP agents run on network devices and collect data about their status, performance, configuration, and events. SNMP managers run on network management systems and query the agents for data or receive notifications from them. SNMP can also be used to configure or control network devices remotely2. SNMP is widely supported by various vendors and platforms, and it provides a simple and flexible way to monitor and manage networks3.

References: 1: What is SNMP? | Cisco 2: SNMP Basics: What is SNMP and How It Works | SolarWinds 3: Network Telemetry Explained: Frameworks, Applications & Standards | Splunk

The crypto isakmp identity hostname command is required to define the identity used by the router when participating in the Internet Key Exchange protocol. This command is needed when you specify preshared keys for authentication. The ip name-server command is required to specify the IP address of the DNS server that can resolve the FQDN of the remote peer. This command is needed when you use the crypto isakmp key command with the hostname option instead of the address option. The other commands are not required or correct for this scenario. References: 1, 2, 3

Cisco Container Platform (CCP) is a security product that enables administrators to deploy Kubernetes clusters in air-gapped sites without needing Internet access. CCP tenant images contain all the necessary binaries and don’t need internet access to function. CCP also supports offline installation and updates of the platform components. CCP is designed to simplify the deployment and management of containerized applications across hybrid cloud environments, while ensuring security and compliance. CCP integrates with Cisco security solutions such as Cisco Tetration and Cisco Stealthwatch Cloud to provide visibility and protection for Kubernetes clusters and workloads. CCP also leverages Cisco Intersight, a cloud-based management platform, to provide centralized monitoring and automation for CCP clusters. References:

• Cisco Container Platform
• 350-701 SCOR Cisco CCNP Security Updated Questions in April

ExplanationA Proxy Auto-Configuration (PAC) file is a JavaScript function definition that determines whether web browserrequests (HTTP, HTTPS, and FTP) go direct to the destination or are forwarded to a web proxy server.PAC files are used to support explicit proxy deployments in which client browsers are explicitly configured tosend traffic to the web proxy. The big advantage of PAC files is that they are usually relatively easy to createand maintain.

 Cisco Advanced Phishing Protection (AAP) is a solution that adds sophisticated machine learning capabilities to Cisco Email Security to block advanced identity deception attacks for inbound email by assessing its threat posture1. It also uses both global and local telemetry data combined with analytics and modeling to validate the reputation and authenticity of senders2. AAP provides sender authentication and BEC detection capabilities, and uses advanced machine learning techniques, real-time behavior analytics, relationship modeling and telemetry to protect against identity deception–based threats3.

In two ways, the Cisco Advanced Phishing Protection solution protects users:

• It prevents use of compromised accounts and social engineering. AAP detects and blocks phishing emails that attempt to impersonate legitimate senders, such as executives, partners, or customers, and trick users into revealing sensitive information or transferring funds. AAP analyzes the sender’s identity, behavior, and relationship with the recipient, and assigns a risk score to the email. If the email is deemed suspicious or malicious, AAP can quarantine it, flag it, or deliver it with a warning4.
• It automatically removes malicious emails from users’ inbox. AAP provides retrospective analysis and remediation capabilities, which means that it can identify and remove emails that were initially delivered but later found to be malicious. AAP leverages the Cisco Talos threat intelligence network and the Sensor-based solution to continuously monitor the threat landscape and update the email disposition accordingly. If an email is reclassified as malicious, AAP can automatically delete it from the users’ inbox, or notify the administrator or the user to take action45.

The other options are incorrect because they do not accurately describe the functions of AAP. AAP does not prevent all zero-day attacks coming from the Internet, as it focuses on phishing and identity deception attacks. AAP does not prevent trojan horse malware using sensors, as sensors are used to collect and analyze email data, not to block malware. AAP does not secure all passwords that are shared in video conferences, as it is not related to video conferencing security. Therefore, the correct answer is A and C. References:

• Cisco’s Security Innovations to Protect the Endpoint and Email
• Cisco Advanced Phishing Protection - Cisco Video Portal
• Cisco Advanced Phishing Protection At A Glance - AVANTEC
• User Guide for Cisco Advanced Phishing Protection
• Cisco Secure Email Threat Defense - Cisco
• Integrating the Email Gateway with Cisco Advanced Phishing Protection

Cisco Secure Workload (formerly Tetration) is a solution that provides visibility, segmentation, and security for cloud applications. It can monitor application communications, detect abnormal application behavior, and identify vulnerabilities within the applications. Cisco Secure Workload can also enforce granular policies to control the traffic between applications and prevent unauthorized access. References: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 6: Cloud and Content Security, Lesson 6.2: Cisco Cloud Security Solutions, Topic 6.2.2: Cisco Secure Workload

 Cisco Cloudlock is a cloud-native security solution that secures public, private, hybrid, and community clouds. It provides visibility, compliance, threat protection, and data security for cloud applications and environments. Cisco Cloudlock integrates with various cloud platforms and services, such as AWS, Azure, Google Cloud, Office 365, Salesforce, Dropbox, and more. Cisco Cloudlock monitors user activities, configurations, and sensitive data across the cloud, and alerts or blocks any violations of policies or regulations. Cisco Cloudlock also leverages user and entity behavior analytics (UEBA) to detect and respond to anomalous or malicious behaviors in the cloud. Cisco Cloudlock helps organizations protect their cloud assets and data, while enabling them to embrace the benefits of cloud computing. References :=

• Cloud and Application Security - Cisco
• Cloud Security Products and Solutions - Cisco
• What Is Cloud Security? - Cisco
• [Cisco Cloudlock: Cloud-Native CASB and Cloud Cybersecurity Platform]

 Cisco Cloudlock is a cloud-native cloud access security broker (CASB) that helps you move to the cloud safely. It protects your cloud users, data, and apps. Cloudlock’s simple, open, and automated approach uses APIs to manage the risks in your cloud app ecosystem. Cloudlock integrates with cloud applications like Dropbox and Office 365 by providing visibility, compliance, threat protection, and data security. Cloudlock can detect and prevent data exfiltration by applying data loss prevention (DLP) policies, encrypting sensitive data, and alerting or blocking unauthorized activities. Cloudlock also supports cloud app discovery and risk assessment, user and entity behavior analytics (UEBA), and cloud app firewall12. References: 1: Cisco Cloudlock - Cisco 2: Cisco Cloudlock Privacy Data Sheet

The function of the crypto is a kmp key cisc406397954 address 0.0.0.0 0.0.0.0 command when establishing an IPsec VPN tunnel is to configure the pre-shared authentication key. This command specifies the key that will be used to authenticate the Internet Key Exchange (IKE) phase 1 negotiation between the IPsec peers. The key is associated with the address 0.0.0.0 0.0.0.0, which means that it will apply to any peer that initiates or responds to the IKE negotiation. This is a common configuration for dynamic IPsec VPN scenarios, such as Dynamic Multipoint VPN (DMVPN) or Easy VPN, where the IP addresses of the peers are not known in advance. However, this is also a less secure configuration, as it exposes the VPN server to potential brute-force attacks from any source. A more secure configuration would be to specify the exact IP address or subnet of the peer, or to use certificates instead of pre-shared keys.

References:

• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 4: Securing the Cloud, Lesson 2: Site-to-Site VPNs, Topic: IPsec VPN Configuration
• Cisco IOS Security Configuration Guide: Securing User Services, Release 12.4 - Configuring Internet Key Exchange for IPsec VPNs [Support] - Cisco, Configuring IKE Policies, Step 3: crypto isakmp key keystring [address | hostname] [mask | no-xauth] [netmask mask]