Cisco 350-701 Dumps

Explanation

In explicit proxy mode, users are configured to use a web proxy and the web traffic is sent directly to the Cisco WSA. In contrast, in transparent proxy mode the Cisco WSA intercepts user's web traffic redirected from other network devices, such as switches, routers, or firewalls.

 Cisco FTD is the recommended solution for this requirement because it allows the administrator to configure URL filtering as part of the access control policy. URL filtering in FTD can block or allow traffic based on the destination URL of a web request, the generalized category of the URL, or the public reputation of the target site. FTD can also use HTTPS URL filtering to inspect encrypted web traffic and block malicious or unwanted sites. FTD supports both local URL lists and external URL filtering servers such as Cisco Talos Intelligence Group (TIG), Websense, or SmartFilter12.

Cisco ASA does not include URL filtering in the access control policy capabilities. ASA can only enable URL filtering for web traffic using external filtering servers such as Websense or SmartFilter. ASA cannot block HTTPS or FTP traffic based on URLs, nor can it use local URL lists or categories. ASA also does not block malicious URLs by default, but relies on the filtering server’s configuration34.

Therefore, option C is the correct answer, and the other options are incorrect. References :=

FTD URL Filtering - How it works? - Cisco Community

Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.2.3 - Access Control

Configuring Filtering Services - Cisco

Configuring URL Filtering - Cisco

A DoS (Denial of Service) attack is a type of cyberattack that aims to disrupt the normal functioning of a server, service, or network by overwhelming it with a large amount of traffic or requests. A DoS attack typically uses a single computer or device to launch the attack, sending TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) packets to the target server. TCP and UDP are two common protocols used to send data over the internet. TCP packets require a connection to be established between the sender and the receiver, and ensure that the data is delivered reliably and in order. UDP packets do not require a connection, and do not guarantee the delivery or order of the data. Both TCP and UDP packets can be used to flood a server with requests, consuming its resources and bandwidth, and preventing legitimate users from accessing the service.

A DDoS (Distributed Denial of Service) attack is a type of DoS attack that uses multiple computers or devices to launch the attack, creating a large network of attackers that can generate more traffic or requests than a single source. A DDoS attack often involves a botnet, which is a network of compromised computers or devices that are controlled by a malicious actor, usually through malware or hacking. The botnet can send TCP or UDP packets to the target server from different locations and IP addresses, making it harder to trace and block the attack. A DDoS attack can also target multiple servers or services that are distributed over a LAN (Local Area Network), such as a web hosting service or a cloud computing platform, affecting the availability and performance of the entire network.

The main difference between a DoS attack and a DDoS attack is the number and diversity of the sources that are involved in the attack. A DoS attack comes from a single source, while a DDoS attack comes from multiple sources. This makes a DDoS attack more powerful, faster, and harder to stop than a DoS attack.

 To add switches into the fabric, administrators can use PowerOn Auto Provisioning (POAP) or Seed IP methods. POAP is a feature that automates the process of upgrading software images and installing configuration files on Cisco switches that are being deployed in the network for the first time. Seed IP is a method that allows administrators to specify the IP address of a switch that is already part of the fabric, and then use it to discover and add other switches that are connected to it. Both methods enable administrators to control how switches are added into DCNM for private cloud management. References:

POAP, section “PowerOn Auto Provisioning (POAP)”.

Seed IP, section “Add Switches”.

ESA stands for Email Security Appliance, which is a Cisco product that provides comprehensive email security solutions. ESA can be deployed in different modes, such as gateway, hybrid, or cloud, depending on the customer’s needs and preferences. One of the key components of ESA configuration is the listener, which is a service that listens for incoming SMTP connections on a specific port and interface. A listener can be configured to handle inbound or outbound email, or both, depending on the mail flow policies and sender groups that are applied to it.

One way to segregate inbound and outbound email on ESA is to use a pair of logical listeners on a single physical interface with two unique logical IPv4 addresses and one IPv6 address. This method allows the ESA to have two separate listeners for inbound and outbound email, each with its own IP address and mail flow policies, while using the same physical interface and port. This can simplify the network configuration and reduce the hardware requirements for ESA deployment. The IPv6 address can be used to support dual-stack IPv4 and IPv6 environments, or to provide redundancy in case of IPv4 address exhaustion.

The other options are incorrect because:

A is false, as one listener on a single physical interface cannot segregate inbound and outbound email, unless it uses different sender groups and mail flow policies for different hosts, which is not a recommended practice.

C is false, as pair of logical IPv4 listeners and a pair of IPv6 listeners on two physically separate interfaces is an unnecessary and complex configuration that does not provide any additional benefits over option B.

D is false, as one listener on one logical IPv4 address on a single logical interface cannot segregate inbound and outbound email, unless it uses different sender groups and mail flow policies for different hosts, which is not a recommended practice.

 Cisco AMP for Endpoints provides next-generation protection by leveraging an endpoint protection platform (EPP) and endpoint detection and response (EDR) capabilities. EPP is a set of multifaceted prevention techniques that stop threats from compromising endpoints, such as behavioral analytics, machine learning, and signature-based methods. EDR is a set of powerful features that reduce the attack surface and remediate faster, such as advanced threat hunting, endpoint isolation, and dynamic malware analysis. Cisco AMP for Endpoints also integrates with SecureX, a built-in platform that offers extended detection and response (XDR) capabilities across multiple control points, such as network, cloud, email, and web. By combining EPP, EDR, and XDR, Cisco AMP for Endpoints delivers a comprehensive and resilient endpoint security solution that can detect, respond, and recover from sophisticated attacks. References:

Cisco Secure Endpoint (Formerly AMP for Endpoints) - Cisco

Cisco Secure Endpoint (Formerly AMP for Endpoints) - Cisco

Cisco Secure Endpoint (Formerly AMP for Endpoints) - Cisco

Anycast IP is a component of Cisco umbrella architecture that increases reliability of the service by allowing the same IP address to exist on multiple servers around the world. This way, the user’s request is automatically routed to the nearest and fastest data center, and failover is seamless in case of an outage. Anycast IP also reduces latency and improves performance by using BGP to select the shortest path to the destination12. References := 1: Why Cisco Umbrella uses anycast routing - Cisco Umbrella 2: Cisco Umbrella At a Glance

When a transparent authentication fails on the Web Security Appliance (WSA), the end user gets blocked access. This means that the user cannot access any web resources until they successfully authenticate. The WSA can use different methods to authenticate users transparently, such as Transparent User Identification (TUI), Transparent Identification, or Kerberos1. If none of these methods work, the WSA will send a block page to the user with a message explaining why the authentication failed and how to resolve the issue2. The block page can be customized by the administrator to provide more information or instructions to the user3.

References := 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 4: Securing the Cloud, Lesson 4.3: Cloud Application Security, Topic 4.3.2: Cisco Umbrella, page 4-59. 2: User Guide for AsyncOS 12.5 for Cisco Web Security Appliances - GD (General Deployment), Chapter: Acquire End-User Credentials, Topic: Failed Authentication Credentials, page 4-67. 3: User Guide for AsyncOS 12.5 for Cisco Web Security Appliances - GD (General Deployment), Chapter: Customize End-User Notifications, Topic: Customize Block Pages, page 5-1.

Explanation

Unlike the traditional software life cycle, the CI/CD implementation process gives a weekly or daily update

instead of monthly or quarterly. The fun part is customers won’t even realize the update is in their applications,

as they happen on the fly.

Explanation

Explanation

Each rule also has an action, which determines whether you monitor, trust, block, or allow matching traffic.

Note: With action “trust”, Firepower does not do any more inspection on the traffic. There will be no intrusion protection and also no file-policy on this traffic.

The Cisco WSA can participate in the Cisco SensorBase Network, which is a threat management database that collects and shares data from Cisco security products. By participating in the SensorBase Network, the WSA can receive web reputation scores and URL categories for the requested web content, and also contribute data to improve the accuracy and efficacy of the service. The data that the WSA sends to the SensorBase Network servers includes information about request attributes and how the appliance handles requests. However, to protect the privacy and confidentiality of the users and the organization, the WSA does not send the complete URL, but only the summarized server-name information and the MD5-hashed path information. The MD5 hash is a one-way encryption algorithm that converts the path information into a fixed-length string that cannot be reversed. This way, the SensorBase Network can identify the URL without revealing the actual content or parameters of the request. The WSA also does not send any personal or confidential information such as usernames and passwords, or any information about HTTPS transactions, except for the IP address, web reputation score, and URL category of the server name in the certificate. The SensorBase Network Participation is enabled by default, but it can be disabled by the administrator if desired123. References: 3: Web Base Network Participation (WBNP) and Sender Base Network Participation (SBNP) - Cisco 2: User Guide for AsyncOS 15.0 for Cisco Secure Web Appliance - GD (General Deployment) - Introduction 1: User Guide for AsyncOS 12.0 for Cisco Web Security Appliances - GD (General Deployment) - Introduction

 Cisco AnyConnect with Umbrella Roaming Security module protects a user from a phishing attack by enforcing security at the DNS layer and blocking malicious domains that are used for phishing campaigns. The Umbrella Roaming Security module integrates with the Cisco AnyConnect client and provides always-on security even when no VPN is active. The Umbrella Roaming Security module can replace the existing Cisco Umbrella roaming client or be part of a new AnyConnect deployment12.

Cisco Identity Services Engine (ISE) is not an endpoint solution, but a network access control and policy enforcement platform that can integrate with AnyConnect for posture assessment and compliance3. Cisco AnyConnect with ISE Posture module is used to check the compliance status of the endpoint device and apply the appropriate network access policy based on the posture result4. Cisco AnyConnect with Network Access Manager module is used to manage the network connections and profiles of the endpoint device and support various authentication methods5. Neither of these modules directly protect the user from a phishing attack.

References :=

Roaming Client: Umbrella Roaming Security (Integration with AnyConnect)

Secure Umbrella Roaming: Cisco Secure Client (Formerly AnyConnect)

Cisco Identity Services Engine

[Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.9 - Posture Module]

[Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.9 - Network Access Manager Module]

 Multi-factor authentication (MFA) is a method of verifying a user’s identity by requiring two or more factors, such as something the user knows (e.g. password), something the user has (e.g. token), or something the user is (e.g. biometric). MFA can prevent or mitigate some common types of cyberattacks that rely on stealing or guessing a user’s credentials, such as phishing and brute force attacks12

Phishing is an attack where an attacker sends a fraudulent email or message that appears to come from a legitimate source, such as a bank or a government agency, and tries to trick the user into clicking on a malicious link or attachment, or providing their credentials or personal information34 MFA can prevent phishing attacks by requiring an additional factor of authentication that the attacker cannot obtain from the phishing email or message, such as a one-time password (OTP) sent to the user’s phone or email, or a biometric verification such as a fingerprint or face scan56

Brute force is an attack where an attacker tries to guess a user’s password by systematically trying different combinations of characters, words, or phrases until they find the correct one. MFA can prevent brute force attacks by requiring an additional factor of authentication that the attacker cannot guess, such as a physical token or a push notification that the user has to approve.

 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 course overview 2: What Type of Attacks Does MFA Prevent? | OneLogin 3: 5 Multi-Factor Authentication Vulnerabilities and How to Resolve Them 4: FBI warns about attacks that bypass multi-factor authentication (MFA) 5: Defend your users from MFA fatigue attacks - Microsoft Community Hub 6: What type of attacks does Multi-Factor Authentication prevent? : How to Prevent Brute Force Attacks | Cloudflare : Brute Force Attack - an overview | ScienceDirect Topics : Multi-factor authentication - Wikipedia : Multi-factor authentication fatigue attacks are on the rise: How to defend against them | CSO Online

The threat intelligence standard that contains malware hashes is trusted automated exchange of indicator information (TAXII). TAXII is a protocol that enables the exchange of cyber threat information in a standardized and automated manner. It supports various types of threat intelligence, such as indicators of compromise (IOCs), observables, incidents, tactics, techniques, and procedures (TTPs), and campaigns. Malware hashes are one example of IOCs that can be shared using TAXII. Malware hashes are cryptographic signatures that uniquely identify malicious files or programs. They can be used to detect and block malware infections on endpoints or networks. TAXII uses STIX (structured threat information expression) as the data format for representing threat intelligence. STIX is a language that defines a common vocabulary and structure for describing cyber threat information. STIX allows threat intelligence producers and consumers to share information in a consistent and interoperable way. STIX defines various objects and properties that can be used to represent different aspects of cyber threat information, such as indicators, observables, incidents, TTPs, campaigns, threat actors, courses of action, and relationships. Malware hashes can be expressed as observables in STIX, which are concrete items or events that are observable in the operational domain. Observables can have various types, such as file, process, registry key, URL, IP address, domain name, etc. Each observable type has a set of attributes that describe its properties. For example, a file observable can have attributes such as name, size, type, hashes, magic number, etc. A hash attribute can have a type (such as MD5, SHA1, SHA256, etc.) and a value (such as the hexadecimal representation of the hash). A file observable can have one or more hash attributes to represent different hashing algorithms applied to the same file. For example, a file observable can have both MD5 and SHA256 hashes to increase the confidence and accuracy of identifying the file.

The other options are incorrect because they are not threat intelligence standards that contain malware hashes. Option A is incorrect because advanced persistent threat (APT) is not a standard, but a term that describes a stealthy and sophisticated cyberattack that aims to compromise and maintain access to a target network or system over a long period of time. Option B is incorrect because open command and control (OpenC2) is not a standard that contains malware hashes, but a language that enables the command and control of cyber defense components, such as sensors, actuators, and orchestrators. Option C is incorrect because structured threat information expression (STIX) is not a standard that contains malware hashes, but a data format that represents threat intelligence. STIX uses TAXII as the transport protocol for exchanging threat intelligence, including malware hashes. References:

TAXII

STIX

Malware Hashes

Explanation

The syntax of this command is shown below:

snmp-server group [group-name {v1 | v2c | v3 [auth | noauth | priv]}] [read read-view] [write write-view] [notify notify-view] [access access-list]

The command above restricts which IP source addresses are allowed to access SNMP functions on the router. You could restrict SNMP access by simply applying an interface ACL to block incoming SNMP packets that don’t come from trusted servers. However, this would not be as effective as using the global SNMP commands shown in this recipe. Because you can apply this method once for the whole router, it is much simpler than applying ACLs to block SNMP on all interfaces separately. Also, using interface ACLs would block not only SNMP packets intended for this router, but also may stop SNMP packets that just happened to be passing through on their way to some other destination device.

Explanation

Cisco ISE can determine the type of device or endpoint connecting to the network by performing “profiling.”

Profiling is done by using DHCP, SNMP, Span, NetFlow, HTTP, RADIUS, DNS, or NMAP scans to collect as

much metadata as possible to learn the device fingerprint.

NMAP (“Network Mapper”) is a popular network scanner which provides a lot of features. One of them is the

OUI (Organizationally Unique Identifier) information. OUI is the first 24 bit or 6 hexadecimal value of the MAC

address.

Note: DHCP probe cannot collect OUIs of endpoints. NMAP scan probe can collect these endpoint attributes:

+ EndPointPolicy

+ LastNmapScanCount

+ NmapScanCount

+ OUI

+ Operating-system

The Cisco DNA Center API provides the ability to program and monitor networks from somewhere other than the DNAC GUI. The API is a set of RESTful web services that allow users to interact with Cisco DNA Center programmatically. The API can be used to automate tasks, integrate with third-party applications, or create custom applications. The API exposes the same functionality as the DNAC GUI, such as design, provision, policy, assurance, and platform1. The API also provides documentation, examples, and testing tools for each API call1. References :=

Cisco DNA Center User Guide, Release 2.3.3

Cisco DNA Center User Guide, Release 2.2.2

DNAC Tour Part 1: Introduction to Cisco DNA Center

Cisco DNA Center Platform User Guide, Release 2.2.2

 Cisco Identity Services Engine (ISE) and AnyConnect Posture module are the best solution to ensure that all endpoints are compliant before users are allowed access on the corporate network. ISE is a policy-based platform that provides secure network access, identity management, and endpoint compliance. AnyConnect Posture module is a component of the AnyConnect Secure Mobility Client that performs posture assessment and remediation on the endpoints. Together, they can enforce policies based on the endpoint’s compliance status, such as the presence and update of the corporate antivirus application and the Windows 10 build version. The administrator can configure posture requirements, profiles, and policies on ISE, and deploy them to the endpoints through AnyConnect. The endpoints will then report their posture status to ISE, which will grant or deny network access accordingly, or redirect them to a remediation portal if needed. References :

 EPP solutions solely focus on the perimeter of the network, which is the boundary between the internal and external networks. The perimeter is where most of the endpoints, such as laptops, desktops, mobile devices, and IoT devices, are located and connected to the network. EPP solutions aim to prevent, detect, and remediate security threats on these endpoints by using technologies such as antivirus, data encryption, and data loss prevention. EPP solutions rely on signatures and other indicators of intrusion by known threats to block malicious activity and malware on the endpoints12.

EDR solutions do not focus on the perimeter, but rather on the entire network, including the core and the East-West gateways. The core is the central part of the network that connects different segments and provides high-speed data transmission. The East-West gateways are the points of communication between different segments within the network, such as between different data centers or cloud environments. EDR solutions provide continuous and comprehensive visibility into endpoint activities across the network by using threat hunting tools for behavior-based endpoint threat detection. EDR solutions monitor and record endpoint data, detect anomalies and malicious behavior, and respond to threats that EPP and other security tools did not catch. EDR solutions also enable security teams to proactively investigate and contain incidents by using incident data search, alert triage, threat validation, and malicious activity blocking134.

References := 1: EPP vs. EDR: Why You Need Both - CrowdStrike 2: Comparing endpoint security: EPP vs. EDR vs. XDR | Infosec 3: EDR vs EPP: What is the Difference? - Exabeam 4: EDR vs EPP: Key Features, Differences, and How They Work Together

Explanation

Cisco Cloudlock: Secure your cloud users, data, and applications with the cloud-native Cloud Access Security

Broker (CASB) and cloud cybersecurity platform.

Explanation

Explanation

There are three basic categories of attack:

+ volume-based attacks, which use high traffic to inundate the network bandwidth

+ protocol attacks, which focus on exploiting server resources

+ application attacks, which focus on web applications and are considered the most sophisticated and serious type of attacks Reference:

The best way to prevent the session during the initial TCP communication is to configure policies to stop and reject communication from the known malicious domain. This will prevent the ESA from accepting any messages from that domain and send a negative SMTP response code back to the sender. This will also save the ESA’s resources and bandwidth, as it will not have to process or store the malicious emails. This can be done by creating a sender group in the Host Access Table (HAT) that matches the malicious domain and setting the mail flow policy to “Reject” or “Throttle”. Alternatively, a message filter can be created that checks the envelope sender against the malicious domain and applies the “stop_connection” or “reject_connection” action12.

The other options are not as effective as stopping and rejecting the communication at the TCP level. Configuring the Cisco ESA to drop the malicious emails (option A) will still allow the ESA to accept the messages and then silently discard them, which will consume the ESA’s resources and bandwidth, and also not notify the sender of the rejection. Configuring policies to quarantine malicious emails (option B) will also require the ESA to accept and store the messages, which will take up disk space and require manual or automated management of the quarantine. Configuring the Cisco ESA to reset the TCP connection (option D) will abruptly terminate the connection without sending a proper SMTP response code, which may cause the sender to retry the delivery and generate more traffic. Resetting the TCP connection is also considered a less polite and less compliant way of rejecting messages than sending a negative SMTP response code34. References: 1: How to Block a Sender Domain on the Email Security Appliance 2: Message Filters on the Cisco Email Security Appliance 3: How to Configure the Cisco Email Security Appliance to Reject or Drop Messages 4: Cisco Email Security Appliance User Guide - Configuring Mail Policies

 Platform as a Service (PaaS) is a cloud service model that delivers and manages all the hardware and software resources to develop applications through the cloud. The service provider is responsible for the infrastructure, middleware, runtime, and operating system, while the customer only has to focus on the application and data. PaaS enables the customer to avoid the hassle of patching, updating, or maintaining the operating system, as well as the underlying hardware and network12. Infrastructure as a Service (IaaS) is a cloud service model that delivers on-demand infrastructure resources, such as compute, storage, networking, and virtualization, to the customer via the cloud. The service provider hosts and manages the infrastructure, but the customer is responsible for the operating system, middleware, virtual machines, and any apps or data. IaaS requires the customer to handle the patch management of the operating system, as well as the security and configuration of the virtual machines34. References := 1: Use platform as a service (PaaS) options - Azure Architecture Center 2: What is Platform-as-a-Service (PaaS)? - Cloudflare 3: PaaS vs IaaS vs SaaS: What’s the difference? | Google Cloud 4: SaaS vs PaaS vs IaaS: What’s The Difference & How To Choose – BMC Software | Blogs

Dynamic Multipoint VPN (DMVPN) is a Cisco IOS Software-based security solution for building scalable enterprise VPNs that support distributed applications such as voice and video. DMVPN provides scalability for organizations with many remote sites by using a hub-and-spoke topology with dynamic tunnels between spokes. This reduces the number of static tunnels required and simplifies the configuration and management of the VPN. DMVPN also supports dynamic routing protocols, multicast traffic, and quality of service (QoS) features, making it suitable for various network scenarios and requirements12 References := 1: Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications 2: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0

 Cisco Duo is a multi-factor authentication (MFA) solution that verifies the identity of all users with Duo’s easy, one-tap-approval MFA app. It also provides device visibility and adaptive policies to ensure that only trusted devices can access corporate applications and networks. Some of the benefits of using Cisco Duo as an MFA solution are:

It provides a simple and streamlined login experience for multiple applications and users. Users can access all their applications from a single dashboard, and authenticate with a simple push notification or other convenient methods. Duo also supports single sign-on (SSO) for integrated applications, reducing the need for multiple passwords and logins12.

It offers native integration that helps secure applications across multiple cloud platforms or on-premises environments. Duo can be easily integrated with most major apps and custom applications, enabling a secure access solution that can be implemented with minimal IT involvement. Duo also supports various protocols and standards, such as SAML, RADIUS, LDAP, and WebAuthn, to enable seamless integration with different environments13.

 1: Multi-Factor Authentication (MFA) | Duo Security 2: Multi-Factor Authentication (MFA) | Duo Security - Cisco 3: What Is Duo? Two-Factor Authentication From Cisco - Cisco

Cisco Stealthwatch is a security solution that uses NetFlow to provide visibility across the network, data center, branch offices, and cloud. NetFlow is a protocol that collects and exports statistics on network traffic flows from routers, switches, firewalls, and other devices. NetFlow data can be used to monitor network performance, troubleshoot issues, detect anomalies, and identify security threats. Cisco Stealthwatch analyzes NetFlow data from various sources and correlates it with other contextual information, such as identity, device, location, and threat intelligence. Cisco Stealthwatch then applies advanced behavioral analytics and machine learning to detect and respond to malicious activities, such as data exfiltration, malware infection, insider threats, and denial-of-service attacks. Cisco Stealthwatch also provides comprehensive network visibility and security across hybrid environments, including public cloud, private cloud, and on-premises networks. Cisco Stealthwatch can integrate with other Cisco security solutions, such as Cisco Identity Services Engine (ISE), Cisco Firepower, Cisco Umbrella, and Cisco Advanced Malware Protection (AMP), to enhance network security and incident response capabilities. References:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 8: Cloud and Virtual Network Security, Lesson 8.2: Cisco Stealthwatch Cloud

Cisco Stealthwatch

NetFlow for Cybersecurity and Incident Response

B

Explanation

Cisco Stealthwatch Cloud: Available as an SaaS product offer to provide visibility and threat detection within public cloud infrastructures such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).

The aaa server radius dynamic-author command enables authentication, authorization, and accounting (AAA) globally on the device so that Change of Authorization (CoA) is supported. CoA is a feature that allows an external AAA server to dynamically change the attributes of a user session after it is authenticated. For example, the AAA server can send a CoA request to reauthenticate a user, terminate a session, or apply a new policy. The aaa server radius dynamic-author command specifies the IP address and port number of the device that listens for CoA requests from the AAA server. The command also configures the shared secret key that is used to encrypt the communication between the device and the AAA server12. References := 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Securing Networks with Cisco Firepower Next Generation Firewall, Lesson 3.2: Deploying Cisco Firepower Next-Generation Firewall, Topic 3.2.2: Cisco Firepower NGFW Device Management 2: Authentication, Authorization, and Accounting Configuration Guide, Cisco IOS Release 15SY - RADIUS Change of Authorization [Support] - Cisco3

Explanation

The Southbound API is used to communicate between Controllers and network devices

Device compliance is the state of devices meeting the standards and regulations for the industry or organization. Device compliance policies define the rules and settings that users and devices must meet to be compliant, such as minimum operating systems, disk encryption, or Secure Boot. Device compliance policies can also include actions that apply to devices that are noncompliant, such as alerting users, blocking access, or wiping data. Device compliance policies can be integrated with Conditional Access, which can enforce attribute-driven policies based on the compliance status of the device. Attribute-driven policies are policies that use attributes of the device, user, or resource to determine the level of access or protection. For example, a policy can allow access to a resource only if the device is compliant, the user is in a certain group, and the resource is in a certain location. Attribute-driven policies provide more granular and flexible control over access and security than traditional policies based on roles or permissions. Therefore, the benefit of performing device compliance is providing attribute-driven policies, which is option D. References:

Device compliance policies in Microsoft Intune

Device Compliance settings for Windows 10/11 in Intune

Device Compliance: What it is and why you should use it

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0

MAB is a fallback mechanism for IEEE 802.1X that allows network access based on the MAC address of the endpoint. However, MAB does not prevent MAC address spoofing, which is a technique used by attackers to impersonate authorized devices and bypass authentication. To mitigate this risk, two catalyst switch security features can be used in conjunction with MAB: 802.1AE MacSec and port security.

802.1AE MacSec is a standard that provides encryption and integrity protection for data frames between two MACsec-capable devices. MacSec also uses a secure key exchange protocol called MKA (MACsec Key Agreement) to establish and maintain cryptographic keys between the peers. By enabling MacSec on the switch ports, the switch can verify the identity and authenticity of the endpoints and prevent unauthorized access or tampering with the data frames.

Port security is a feature that allows the switch to limit the number and type of MAC addresses that can access a port. Port security can be configured to allow only a specific MAC address or a maximum number of MAC addresses per port. Port security can also be configured to take an action when a violation occurs, such as shutting down the port, sending a trap, or dropping packets. By enabling port security on the switch ports, the switch can prevent multiple devices from accessing the same port or deny access to devices with spoofed MAC addresses.

Cisco AMP (Advanced Malware Protection) is a technology that provides a combination of endpoint protection, endpoint detection, and response. Cisco AMP protects endpoints from malware and other threats by using multiple prevention engines, including signatures, machine learning, and file reputation. Cisco AMP also continuously monitors and analyzes endpoint activity to detect malicious behavior and indicators of compromise. Cisco AMP can respond to threats by blocking, isolating, or removing malicious files, processes, or devices across the network. Cisco AMP leverages the cloud-based intelligence of Cisco Talos and Cisco Threat Grid to provide global threat visibility and analysis. Cisco AMP can also integrate with Cisco Umbrella and other security solutions to provide a comprehensive and unified approach to endpoint security. References:

Cisco Secure Endpoint (Formerly AMP for Endpoints)

Prevent, Detect and Respond with Cisco AMP for Endpoints

Provide State-of-the-Art Endpoint Protection as a Managed Service

Cisco Secure Workload (formerly Tetration) is a solution that provides visibility, segmentation, and security for cloud applications. It can monitor application communications, detect abnormal application behavior, and identify vulnerabilities within the applications. Cisco Secure Workload can also enforce granular policies to control the traffic between applications and prevent unauthorized access. References: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 6: Cloud and Content Security, Lesson 6.2: Cisco Cloud Security Solutions, Topic 6.2.2: Cisco Secure Workload

the file to Cisco Threat Grid for dynamic analysis. Cisco Threat Grid is a cloud-based service that provides malware analysis and threat intelligence. It can analyze suspicious files and URLs, and provide detailed reports on the behavior, indicators, and severity of the threat1. By sending the file to Cisco Threat Grid, the custom file policy can leverage the dynamic analysis results to detect the file as an indicator of compromise, and prevent other endpoints from executing the infected file. The other options are not correct because they do not address the root cause of the problem, which is the lack of detection by the custom file policy. Creating an IP block list, blocking the application, or uploading the hash for the file may help to mitigate the attack, but they do not ensure that the custom file policy is functioning as it should. References:

2: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 - Module 5: Endpoint Protection and Detection

3: Cisco AMP for Endpoints User Guide - Custom Detection Lists

4: Cisco AMP for Endpoints User Guide - File Analysis and Cisco Threat Grid

1: Cisco Threat Grid - Overview

Explanation

Domain name system (DNS) is the protocol that translates human-friendly URLs, such as securitytut.com, into IP addresses, such as 183.33.24.13. Because DNS messages are only used as the beginning of each communication and they are not intended for data transfer, many organizations do not monitor their DNS traffic for malicious activity. As a result, DNS-based attacks can be effective if launched against their networks. DNS tunneling is one such attack.

An example of DNS Tunneling is shown below:

The attacker incorporates one of many open-source DNS tunneling kits into an authoritative DNSnameserver (NS) and malicious payload.2. An IP address (e.g. 1.2.3.4) is allocated from the attacker’s infrastructure and a domain name (e.g. attackerdomain.com) is registered or reused. The registrar informs the top-level domain (.com) nameservers to refer requests for attackerdomain.com to ns.attackerdomain.com, which has a DNS record mapped to 1.2.3.43. The attacker compromises a system with the malicious payload. Once the desired data is obtained, the payload encodes the data as a series of 32 characters (0-9, A-Z) broken into short strings (3KJ242AIE9, P028X977W,…).4. The payload initiates thousands of unique DNS record requests to the attacker’s domain with each string as

Explanation

Advanced Malware Protection (AMP) for Endpoints offers a variety of lists, referred to as Outbreak Control, that allow you to customize it to your needs. The main lists are: Simple Custom Detections, Blocked Applications, Allowed Applications, Advanced Custom Detections, and IP Blocked and Allowed Lists.

A Simple Custom Detection list is similar to a blocked list. These are files that you want to detect and

quarantine.

Allowed applications lists are for files you never want to convict. Some examples are a custom application that is detected by a generic engine or a standard image that you use throughout the company Reference:

Wired 802.1X authentication is a port-based network access control that uses the physical characteristics of the switched LAN infrastructure to authenticate devices attached to a LAN port1. Wired 802.1X authentication requires three components: a supplicant, an authenticator, and an authentication server2. The supplicant is the client device that requests access to the network. The authenticator is the switch port that controls the access to the network based on the authentication result. The authentication server is the server that validates the credentials of the supplicant and sends the authentication result to the authenticator3.

In this question, option A is correct because Cisco Identity Service Engine (ISE) is an example of an authentication server that supports wired 802.1X authentication4. Option C is correct because Cisco Catalyst switch is an example of an authenticator that supports wired 802.1X authentication5. Option B is incorrect because Cisco AnyConnect ISE Posture module is not a supplicant, but a software component that checks the compliance status of the supplicant. Option D is incorrect because Cisco ISE is not an authenticator, but an authentication server. Option E is incorrect because Cisco Prime Infrastructure is not an authentication server, but a network management tool.

 1: Wired 802.1X Deployment Guide - Cisco 2: 802.1X Authenticated Wired Access Overview | Microsoft Learn 3: About 802.1X Authentication - Aruba 4: Cisco Identity Services Engine - Products & Services - Cisco 5: Cisco Catalyst 2960-X Series Switches - Products & Services - Cisco : Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.9 - Configure Posture [Cisco AnyConnect Secure Mobility Client] - Cisco : Cisco Prime Infrastructure - Products & Services - Cisco

ISE posture assessment allows you to inspect the security “health” of your PC and MAC clients. This includes checking for the installation, running state, and last update for security software, such as anti-virus, anti-malware, personal firewall, and so on1. Windows service and Windows firewall are examples of such security software that can be checked by ISE posture assessment. Computer identity and user identity are not conditions that can be checked by ISE posture assessment, as they are related to authentication and authorization, not security posture. Default browser is also not a condition that can be checked by ISE posture assessment, as it is not a security software or a security risk. References: 1: Chapter 15. Device Posture Assessment - Cisco ISE for BYOD and Secure Unified Access, 3

 NetFlow is a protocol that collects and exports information about network traffic flows. NetFlow Version 9 is the latest version supported by the Cisco ASA 5500 Series firewall. To enable NetFlow on the ASA, you need to perform two main tasks: define a NetFlow collector and apply NetFlow exporter to an interface. A NetFlow collector is a device or application that receives and processes the NetFlow records sent by the ASA. You can define a NetFlow collector by using the flow-export command, which specifies the IP address, port number, and interface of the collector. A NetFlow exporter is a configuration that determines which traffic flows are monitored and exported by the ASA. You can apply NetFlow exporter to an interface by using the Modular Policy Framework (MPF), which allows you to create class maps and policy maps to match and act on interesting traffic. You can use the flow-export event-type option in the policy map to select the NetFlow events that you want to export. The other options (B, C, and D) are not required or correct for enabling NetFlow on the ASA. You do not need to create an ACL to allow UDP traffic on port 9996, because the ASA uses a random high port number to send NetFlow records to the collector. You do not need to apply NetFlow exporter to the outside interface in the inbound direction, because you can apply it to any interface and direction that you want to monitor. You do not need to create a class map to match interesting traffic, because the ASA monitors all traffic flows by default, unless you filter them by using the flow-export filters command. References:

Cisco Secure Firewall ASA NetFlow Implementation Guide, section “About NSEL”

Cisco Secure Firewall ASA NetFlow Implementation Guide, section “Configure NSEL Collectors (CLI)”

Cisco Secure Firewall ASA NetFlow Implementation Guide, section “Configure Flow-Export Actions Through Modular Policy Framework”

Configuring NetFlow on ASA with ASDM, section “Enabling NetFlow on ASA”

 A flow monitor is a component of Flexible NetFlow that is used to store and export flow data. A flow monitor consists of a record, an optional exporter, and a cache. The cache is a section of memory that stores flow entries before they are exported to an external collector. The cache is created by the flow monitor when NetFlow is applied to an interface. The cache collects traffic based on the key and nonkey fields in the configured record. The key fields are used to identify a flow uniquely, while the nonkey fields are used to provide additional information about the flow. The cache can be configured with various parameters, such as the number of entries, the timeout values, and the type of cache. The cache can also be viewed and cleared using show and clear commands. References :=

Some possible references are:

Flexible Netflow Configuration Guide, Cisco IOS Release 15M&T

ASR9000/XR Netflow Architecture and overview

Cisco IOS Flexible NetFlow Command Reference - cache (Flexible NetFlow) through match flow

 Cisco ISE supports two types of WebAuth for BYOD: central WebAuth and local WebAuth. Central WebAuth is the default method and it uses the ISE portal to authenticate the users and redirect them to the BYOD portal. Local WebAuth is an alternative method that uses the network access device (NAD) portal to authenticate the users and then redirects them to the ISE BYOD portal. Both methods require the configuration of a guest component on ISE, which is used to create the BYOD portal and the guest user accounts. The guest component also provides the self-service onboarding and registration features for the BYOD users. The dual component is not related to BYOD, but rather to the dual-SSID method, which uses two separate SSIDs for provisioning and access. The null WebAuth component is not a valid option for BYOD. References :=

Some possible references are:

Cisco ISE BYOD Prescriptive Deployment Guide

Configure Single SSID Wireless BYOD on Windows and ISE

Cisco ISE for BYOD and Secure Unified Access, 2nd Edition

Explanation

Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data. Zero Trust assumes that there is no traditional network edge; networks can be local, in the cloud, or a combination or hybrid with resources anywhere as well as workers in any location.

The Zero Trust model uses microsegmentation — a security technique that involves dividing perimeters into small zones to maintain separate access to every part of the network — to contain attacks.

The kind of API that is used with Cisco DNA Center to provision SSIDs, QoS policies, and update software versions on switches is the Intent API. The Intent API is a category of APIs that allows users to express their desired network outcomes or intents, such as creating a site, adding a device, or deploying a network profile. The Intent API then translates these intents into specific network configurations and commands, and applies them to the relevant network devices and services. The Intent API simplifies and automates the network provisioning and management process, and enables users to focus on the business objectives rather than the technical details. Some examples of Intent APIs are:

Site Management API: This API allows users to create, update, delete, and retrieve sites and buildings in Cisco DNA Center. A site is a logical grouping of network devices and services that share common characteristics, such as location, policies, or functions. A site can have one or more buildings, and a building can have one or more floors. Sites are used to organize and manage the network hierarchy and topology.

Network Settings API: This API allows users to configure and manage network-wide settings, such as global credentials, network discovery, IP address pools, DHCP and DNS servers, and SNMP settings. These settings are applied to all network devices and services that are managed by Cisco DNA Center.

Network Profile API: This API allows users to create, update, delete, and retrieve network profiles in Cisco DNA Center. A network profile is a collection of network settings and policies that define how a network segment or service should operate, such as SSIDs, QoS policies, security policies, and device roles. Network profiles are used to standardize and simplify the network configuration and deployment process, and to ensure consistency and compliance across the network.

Software Image Management API: This API allows users to manage the software images and versions of network devices that are managed by Cisco DNA Center. Users can import, export, delete, and retrieve software images, as well as assign them to network devices or device groups. Users can also schedule and monitor software image updates, and view the software image compliance status of network devices.

The main difference between an on-premise solution and a cloud-based solution is the distribution of responsibilities between the customer and the provider. With an on-premise solution, the customer has full control over the installation, configuration, maintenance, and security of the product, but also bears the costs and risks associated with it. With a cloud-based solution, the provider takes care of most of these aspects, while the customer pays a subscription fee and accesses the product over the internet. Therefore, when choosing between the two options, the customer must consider factors such as cost, scalability, performance, availability, security, compliance, and customization. For example, an on-premise solution may be preferred if the customer has strict security or regulatory requirements, or needs a high level of customization. A cloud-based solution may be preferred if the customer wants to reduce capital expenditure, or needs a flexible and scalable solution that can adapt to changing demands. References :=

Some possible references are:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Security Concepts, Lesson 1: Describing Information Security Concepts, Topic: Cloud Security

350-701 SCOR - Cisco, Exam Topics, 1.0 Security Concepts, 1.6 Compare and contrast the characteristics of a data center and the cloud

Cloud vs. On-Premise Software Comparison

Explanation

A botnet is a collection of internet-connected devices infected by malware that allow hackers to control them.

Cyber criminals use botnets to instigate botnet attacks, which include malicious activities such as credentials

leaks, unauthorized access, data theft and DDoS attacks.

MDM stands for Mobile Device Management, which is a system that performs compliance checks and remote wiping on mobile devices. MDM allows administrators to enforce security policies, monitor device status, and remotely manage devices in case of loss, theft, or compromise. MDM can also integrate with other Cisco security solutions, such as ISE, AMP, and Umbrella, to provide enhanced protection and visibility for mobile devices. References:

Mobile Device Management (MDM) - Cisco

Implementing and Operating Cisco Security Core Technologies (SCOR) - Module 5: Secure Network Access

Explanation

Explanation

Cisco’s DNA Center is the only centralized network management system to bring all of this functionality into a single pane of glass.

Cross-site scripting (XSS) is a web security vulnerability that allows an attacker to inject malicious code into a web page that is viewed by other users. XSS can compromise the user’s interaction with the web application, steal sensitive data, perform unauthorized actions, and more. To prevent XSS, web developers need to apply various defensive techniques to ensure that user-supplied data is not interpreted as code by the browser. Two of these techniques are:

Incorporate contextual output encoding/escaping: This means that any user-supplied data that is displayed on the web page should be properly encoded or escaped according to the context where it appears. For example, if the data is inserted into an HTML attribute, it should be HTML attribute encoded; if the data is inserted into a JavaScript string, it should be JavaScript string encoded; and so on. This prevents the data from breaking out of its intended context and being executed as code by the browser. Output encoding should be done by using a reliable library or framework that supports different contexts and encodings.

Run untrusted HTML input through an HTML sanitization engine: This means that any user-supplied data that is intended to contain HTML markup should be filtered and validated by a sanitization engine that removes or escapes any potentially dangerous elements, attributes, or scripts. This prevents the attacker from injecting malicious HTML code that can execute scripts, load external resources, redirect the user, or perform other malicious actions. HTML sanitization should be done by using a well-tested and maintained library or framework that follows the best practices and standards for HTML filtering.

References :=

[Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0], Module 5: Securing the Cloud, Lesson 5.2: Web Application Security, Topic 5.2.2: Cross-Site Scripting (XSS)

Cross Site Scripting Prevention Cheat Sheet - OWASP

What is cross-site scripting (XSS) and how to prevent it? - Web Security Academy

 ESP (Encapsulating Security Payload) is a cryptographic process that provides origin confidentiality, integrity, and origin authentication for packets. ESP encrypts the payload of an IP packet with a symmetric key, and adds a header and a trailer to the packet. The header contains a security parameter index (SPI) and a sequence number, which are used to identify the security association (SA) and prevent replay attacks. The trailer contains padding and a next header field, which are used to align the packet and indicate the type of the original payload. ESP also adds an authentication data field at the end of the packet, which contains a message authentication code (MAC) that is computed over the entire ESP packet (except for the authentication data field itself) using a secret key and a hash function. The MAC provides data integrity and origin authentication for the packet. ESP can operate in two modes: tunnel mode and transport mode. In tunnel mode, ESP encapsulates the entire original IP packet, including the IP header, and adds a new IP header. This mode provides protection for the entire packet, but adds more overhead. In transport mode, ESP only encapsulates the payload of the original IP packet, and leaves the IP header intact. This mode provides protection only for the payload, but preserves the original IP header information. ESP is one of the two main protocols of IPsec, along with AH (Authentication Header). AH only provides data integrity and origin authentication, but not confidentiality. AH adds a header to the IP packet, which contains a MAC that is computed over the immutable fields of the IP header and the entire payload. AH does not encrypt the payload, and therefore does not protect it from eavesdropping. AH can also operate in tunnel mode or transport mode, but it is incompatible with NAT devices, which modify the IP header fields. IKE (Internet Key Exchange) is a protocol that is used to establish and manage SAs for IPsec. IKE negotiates the security parameters, such as the encryption and authentication algorithms, the keys, and the SPIs, for the IPsec protocols. IKE also performs mutual authentication between the IPsec peers, and establishes a secure channel for exchanging keying material. IKE has two versions: IKEv1 and IKEv2. IKEv1 consists of two phases: phase 1 and phase 2. In phase 1, IKEv1 establishes an IKE SA, which is a secure channel for phase 2. In phase 2, IKEv1 negotiates one or more IPsec SAs, which are used to protect the IPsec traffic. IKEv2 simplifies the IKE protocol by combining the two phases of IKEv1 into a single exchange. IKEv2 also supports more features, such as NAT traversal, EAP authentication, and MOBIKE. References :=

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: VPN Technologies, Lesson 3.1: Site-to-Site VPNs, Topic 3.1.1: IPsec VPNs

IPsec - Wikipedia

AH and ESP protocols - IBM

How TLS provides identification, authentication, confidentiality, and integrity - IBM

Explanation

m_ise_interoperability_mdm.html

Explanation

The following are restrictions for Flexible NetFlow:

+ Traditional NetFlow (TNF) accounting is not supported.

+ Flexible NetFlow v5 export format is not supported, only NetFlow v9 export format is supported.

+ Both ingress and egress NetFlow accounting is supported.

+ Microflow policing feature shares the NetFlow hardware resource with FNF.

+ Only one flow monitor per interface and per direction is supported.

The Southbound API is used to communicate between Controllers and network devices.

Explanation

A destination list is a list of internet destinations that can be blocked or allowed based on the administrative

preferences for the policies applied to the identities within your organization. A destination is an IP address

(IPv4), URL, or fully qualified domain name. You can add a destination list to Umbrella at any time; however, a

destination list does not come into use until it is added to a policy.

For TACACS authentication to work, the key configured on the network device must match the key configured on the TACACS server. If users are unable to authenticate despite the TACACS server being reachable, it is likely due to a mismatch in the keys. Ensuring that both the network device and the TACACS server have the same key configured is crucial for successful authentication.

Explanation

Cisco Cloudlock is a cloud-native cloud access security broker (CASB) that helps you move to the cloud safely.

It protects your cloud users, data, and apps. Cisco Cloudlock provides visibility and compliance checks,

protects data against misuse and exfiltration, and provides threat protections against malware like ransomware.

Explanation

Explanation

Cisco FTD devices, Cisco Firepower devices, and the Cisco ASA FirePOWER modules can be managed by

the Firepower Management Center (FMC), formerly known as the FireSIGHT Management Center -> Answer D

is not correct

 Cisco Advanced Phishing Protection (AAP) is a solution that adds sophisticated machine learning capabilities to Cisco Email Security to block advanced identity deception attacks for inbound email by assessing its threat posture1. It also uses both global and local telemetry data combined with analytics and modeling to validate the reputation and authenticity of senders2. AAP provides sender authentication and BEC detection capabilities, and uses advanced machine learning techniques, real-time behavior analytics, relationship modeling and telemetry to protect against identity deception–based threats3.

In two ways, the Cisco Advanced Phishing Protection solution protects users:

It prevents use of compromised accounts and social engineering. AAP detects and blocks phishing emails that attempt to impersonate legitimate senders, such as executives, partners, or customers, and trick users into revealing sensitive information or transferring funds. AAP analyzes the sender’s identity, behavior, and relationship with the recipient, and assigns a risk score to the email. If the email is deemed suspicious or malicious, AAP can quarantine it, flag it, or deliver it with a warning4.

It automatically removes malicious emails from users’ inbox. AAP provides retrospective analysis and remediation capabilities, which means that it can identify and remove emails that were initially delivered but later found to be malicious. AAP leverages the Cisco Talos threat intelligence network and the Sensor-based solution to continuously monitor the threat landscape and update the email disposition accordingly. If an email is reclassified as malicious, AAP can automatically delete it from the users’ inbox, or notify the administrator or the user to take action45.

The other options are incorrect because they do not accurately describe the functions of AAP. AAP does not prevent all zero-day attacks coming from the Internet, as it focuses on phishing and identity deception attacks. AAP does not prevent trojan horse malware using sensors, as sensors are used to collect and analyze email data, not to block malware. AAP does not secure all passwords that are shared in video conferences, as it is not related to video conferencing security. Therefore, the correct answer is A and C. References:

Cisco’s Security Innovations to Protect the Endpoint and Email

Cisco Advanced Phishing Protection - Cisco Video Portal

Cisco Advanced Phishing Protection At A Glance - AVANTEC

User Guide for Cisco Advanced Phishing Protection

Cisco Secure Email Threat Defense - Cisco

Integrating the Email Gateway with Cisco Advanced Phishing Protection

Explanation

The telemetry information consists of three types of data:

+ Flow information: This information contains details about endpoints, protocols, ports, when the flow started,

how long the flow was active, etc.

+ Interpacket variation: This information captures any interpacket variations within the flow. Examples include

variation in Time To Live (TTL), IP and TCP flags, payload length, etc

+ Context details: Context information is derived outside the packet header. It includes details about variation in buffer utilization, packet drops within a flow, association with tunnel endpoints, etc.

Explanation

Cisco Context Directory Agent (CDA) is a mechanism that maps IP Addresses to usernames in order to allow

security gateways to understand which user is using which IP Address in the network, so those security

gateways can now make decisions based on those users (or the groups to which the users belong to).

CDA runs on a Cisco Linux machine; monitors in real time a collection of Active Directory domain controller (DC) machines for authentication-related events that generally indicate user logins; learns, analyzes, and caches mappings of IP Addresses and user identities in its database; and makes the latest mappings available to its consumer devices.

Cisco ISE uses probes to collect endpoint attributes that are used in profiling. Probes are software modules that run on the ISE Policy Service Nodes (PSNs) and gather information about the endpoints connected to the network. Probes can use various protocols and methods to collect endpoint attributes, such as RADIUS, DHCP, SNMP, HTTP, DNS, NetFlow, NMAP, Active Directory, and Cisco pxGrid. The collected attributes are then matched to predefined or custom conditions that define the endpoint profiles. Endpoint profiling enables ISE to identify and classify the endpoints and apply the appropriate policies based on their identity, role, and context12. References: 1: Cisco ISE 2.4 Endpoint Profiling - Cisco 2: How To Create an Endpoint Profile - Cisco Community

 Cisco AMP for Endpoints and Cisco Umbrella Roaming Client are both security solutions that protect mobile users from threats, but they have different functions and features. Cisco AMP for Endpoints is a cloud-managed endpoint security solution that stops and tracks malicious activity on hosts, such as malware execution, file behavior, and command-and-control callbacks. It also provides threat intelligence, sandboxing, and retrospective analysis to detect and respond to advanced threats. Cisco Umbrella Roaming Client is a lightweight DNS client that tracks only URL-based threats, such as phishing, ransomware, and botnets. It prevents connections to malicious domains and IP addresses, and provides visibility and enforcement for off-network devices. It also integrates with Cisco AnyConnect VPN client to provide seamless protection for VPN and non-VPN traffic. Therefore, the functional difference between Cisco AMP for Endpoints and Cisco Umbrella Roaming Client is that AMP for Endpoints stops and tracks malicious activity on hosts, and the Umbrella Roaming Client tracks only URL-based threats. References :=

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.1: Cisco AMP for Endpoints Overview

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.2: Cisco AMP for Endpoints Architecture and Components

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.3: Cisco AMP for Endpoints Installation and Configuration

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.4: Cisco AMP for Endpoints Analysis and Response

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.5: Cisco Umbrella Overview

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.6: Cisco Umbrella Architecture and Components

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.7: Cisco Umbrella Roaming Client

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.8: Cisco Umbrella Policies and Reporting

Best Mobile Cybersecurity Solution - Cisco Umbrella

Explanation

The command “crypto isakmp identity address 172.19.20.24” is not valid. We can only use “crypto isakmp

identity {address | hostname}. The following example uses preshared keys at two peers and sets both their

ISAKMP identities to the IP address.

At the local peer (at 10.0.0.1) the ISAKMP identity is set and the preshared key is specified:

crypto isakmp identity address

crypto isakmp key sharedkeystring address 192.168.1.33

At the remote peer (at 192.168.1.33) the ISAKMP identity is set and the same preshared key is specified:

crypto isakmp identity address

crypto isakmp key sharedkeystring address 10.0.0.1

The service password-encryption command is used to encrypt all passwords in the router configuration file, such as the enable password, the console password, the vty password, and the username password. This command prevents credentials from being seen if the router configuration was compromised, for example, by an attacker who gained access to the router or the backup files. The encryption used by this command is a weak algorithm that can be easily reversed, but it provides some level of protection against casual observers1.

The other commands are not used to encrypt passwords in the router configuration file. The username privilege 15 password and the username password commands are used to create local user accounts with or without administrative privileges, respectively. These commands store the passwords in clear text unless the service password-encryption command is enabled2. The service password-recovery command is used to enable or disable the password recovery mechanism on the router. This command does not affect the encryption of passwords in the configuration file3.

References := 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Security Concepts, Lesson 1.2: Securing Network Devices, Topic 1.2.1: Device Hardening, page 1-14. 2: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Security Concepts, Lesson 1.2: Securing Network Devices, Topic 1.2.2: Management Plane Security, page 1-17. 3: Cisco IOS Configuration Fundamentals Command Reference, Release 12.2, Chapter: service password-recovery, page 1.

The difference between GRE over IPsec and IPsec with crypto map is that GRE (Generic Routing Encapsulation) over IPsec can encapsulate and transport non-IP protocols across an IP network, whereas IPsec with crypto map is typically used for IP traffic. GRE tunnels wrapped in IPsec provide a way to transport multicast traffic and other protocol types across an IPsec VPN, offering greater flexibility in the types of traffic that can be secured.

To enable malware file scanning for the Secure Internet Gateway (SIG), you need to enable Intelligent Proxy, which is a feature of Cisco Umbrella that provides selective proxying of web requests based on the risk level of the domain1. Intelligent Proxy allows SIG to inspect the content of potentially malicious web requests and block or allow them based on the configured policies2. Intelligent Proxy also enables SSL decryption, which is necessary to scan encrypted web traffic for malware3. Enabling IP Layer enforcement, activating the Advanced Malware Protection license, and activating SSL decryption are not required prerequisites to enable malware file scanning for the SIG, although they may provide additional security benefits45. References: 1: Intelligent Proxy - Cisco Umbrella 2: Cisco Umbrella SIG Advantage - Cisco Umbrella 3: [SSL Decryption - Cisco Umbrella] 4: [IP Layer Enforcement - Cisco Umbrella] 5: [Advanced Malware Protection - Cisco Umbrella]

Explanation

Cisco Cognitive Threat Analytics helps you quickly detect and respond to sophisticated, clandestine attacks that are already under way or are attempting to establish a presence within your environment. The solution automatically identifies and investigates suspicious or malicious web-based traffic. It identifies both potential and confirmed threats, allowing you to quickly remediate the infection and reduce the scope and damage of an attack, whether it’s a known threat campaign that has spread across multiple organizations or a unique threat you’ve never seen before.

Detection and analytics features provided in Cognitive Threat Analytics are shown below:

+ Data exfiltration: Cognitive Threat Analytics uses statistical modeling of an organization’s network to identify anomalous web traffic and pinpoint the exfiltration of sensitive data. It recognizes data exfiltration even in HTTPS-encoded traffic, without any need for you to decrypt transferred content

+ Command-and-control (C2) communication: Cognitive Threat Analytics combines a wide range of data, ranging from statistics collected on an Internet-wide level to host-specific local anomaly scores. Combining these indicators inside the statistical detection algorithms allows us to distinguish C2 communication from benign traffic and from other malicious activities. Cognitive Threat Analytics recognizes C2 even in HTTPSencoded or anonymous traffic, including Tor, without any need to decrypt transferred content, detecting a broad

range of threats

…

The Secure Event Connector is a component of the Security Analytics and Logging (SaaS) solution that enables the FMC to send logs to the cloud-based service. The Secure Event Connector uses syslog to forward events from the FMC and the managed devices to the cloud. This method reduces the load on the firewall resources, as the events are sent in batches and compressed before transmission. The Secure Event Connector also provides encryption, authentication, and reliability for the log data. The other methods are not supported by the Security Analytics and Logging (SaaS) solution12 References := 1: Cisco Security Analytics and Logging (On Premises)

Explanation

SNMP polling can often be in the order of 5-10 minutes, CLIs are unstructured and prone to change which can often break scripts.

The traditional use of the pull model, where the client requests data from the network does not scale when what you want is near real-time data.

Moreover, in some use cases, there is the need to be notified only when some data changes, like interfaces status, protocol neighbors change etc.

Model-Driven Telemetry is a new approach for network monitoring in which data is streamed from network devices continuously using a push model and provides near real-time access to operational statistics. Referfence: telemetry

Explanation

Explanation

Cisco Defense Orchestrator is a cloud-based management solution that allows you to manage security policies

and device configurations with ease across multiple Cisco and cloud-native security platforms.

Cisco Defense Orchestrator features:

….

Management of hybrid environments: Managing a mix of firewalls running the ASA, FTD, and Meraki

MX software is now easy, with the ability to share policy elements across platforms.

Explanation

Cisco‘s Group Encrypted Transport VPN (GETVPN) introduces the concept of a trusted group to eliminate

point-to-point tunnels and their associated overlay routing. All group members (GMs) share a common security

association (SA), also known as a group SA. This enables GMs to decrypt traffic that was encrypted by any

other GM.

GETVPN provides instantaneous large-scale any-to-any IP connectivity using a group IPsec security paradigm.

The correct answer is to enable two-factor authentication through a RADIUS server, and then join the cluster via the SEG CLI. Two-factor authentication is a security feature that requires users to provide two forms of identification before accessing the SEG, such as a username and password, and a one-time code or token. This adds an extra layer of protection against unauthorized access and phishing attacks. The SEG supports two-factor authentication through external RADIUS servers, which can be configured on the System Administration > Users page in the web interface, or the userconfig command in the CLI. See User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General Deployment) (Section: Two-Factor Authentication) for more details.

To join a cluster, the SEG must communicate with other cluster members using either SSH or CCS (Cluster Communication Service). The cluster communication port and method can be configured on the Network > Cluster Communication page in the web interface, or the clusterconfig command in the CLI. See User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General Deployment) (Section: Cluster Communication) for more details.

If two-factor authentication is enabled on the SEG, it cannot join a cluster using the web interface, because the web interface does not support two-factor authentication for cluster operations. Therefore, the SEG must join the cluster using the CLI, and provide a pre-shared key that matches the cluster’s admin passphrase. The pre-shared key can be configured using the clusterconfig > prepjoin command in the CLI. See User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General Deployment) (Section: Creating and Joining a Cluster) for more details.

The other options are incorrect because they either use the wrong authentication server (TACACS+ instead of RADIUS), or the wrong communication method (GUI instead of CLI). References:

User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General Deployment)

Configure an Email Security Appliance (ESA) Cluster - Cisco

When the Cisco Secure Firewall downloads threat intelligence updates from Cisco Talos, it is engaged in "consumption." This term refers to the process of receiving and utilizing threat intelligence data to enhance security measures. Cisco Talos provides comprehensive threat intelligence that Cisco Secure Firewall consumes to update its threat detection and prevention capabilities.

 A security application that notifies a controller within a software-defined network architecture about a specific security threat is using a northbound API. A northbound API is an interface that enables communication between the SDN controller and the applications or management systems that use the network services1. A security application can use a northbound API to send alerts, requests, or commands to the SDN controller, which can then take appropriate actions on the network devices or policies2. For example, a security application can use a northbound API to inform the SDN controller about a malicious traffic pattern, and the SDN controller can then block or redirect the traffic using a southbound API3.

 1: What is Software-Defined Networking (SDN)? | VMware Glossary 2: Intent-Based Networking’s Next Evolution: The DNA Center Platform - Cisco Blogs 3: Cisco SDN Security: Securing the Software Defined Network - Cisco

Explanation

Community Cloud allows system and services to be accessible by group of organizations. It shares the

infrastructure between several organizations from a specific community. It may be managed internally by

organizations or by the third-party.

Explanation

Explanation

A bridge group is a group of interfaces that the ASA bridges instead of routes. Bridge groups are only

supported in Transparent Firewall Mode. Like any other firewall interfaces, access control between interfaces is controlled, and all of the usual firewall checks are in place.

Each bridge group includes a Bridge Virtual Interface (BVI). The ASA uses the BVI IP address as the source address for packets originating from the bridge group. The BVI IP address must be on the same subnet as the bridge group member interfaces. The BVI does not support traffic on secondary networks; only traffic on the same network as the BVI IP address is supported.

You can include multiple interfaces per bridge group. If you use more than 2 interfaces per bridge group, you can control communication between multiple segments on the same network, and not just between inside and outside. For example, if you have three inside segments that you do not want to communicate with each other, you can put each segment on a separate interface, and only allow them to communicate with the outside interface. Or you can customize the access rules between interfaces to allow only as much access as desired.

Proxy caching is a method that enables a proxy server to save recent and frequent website/webpage requests and data requested by one or more client machines. It reduces latency, eases bandwidth consumption, and ensures content is served more swiftly to the end-user12. WSA (Web Security Appliance) is a Cisco product that provides proxy caching functionality, along with other web security features such as malware protection, URL filtering, and data loss prevention3. Firepower, FireSIGHT, and ASA are other Cisco products that do not provide proxy caching, but rather focus on different aspects of network security, such as threat detection, management, and firewall . References:

What is Proxy Caching? | StackPath

What Is Proxy Caching? | Definition & Overview | NinjaOne

Cisco Web Security Appliance Data Sheet

[Cisco Firepower NGFW Data Sheet]

[Cisco FireSIGHT Management Center Data Sheet]

[Cisco ASA 5500-X Series Firewalls Data Sheet]

Threat intelligence is the term for having information about threats and threat actors that helps mitigate harmful events that would otherwise compromise networks or systems. Threat intelligence is the result of collecting, analyzing, and contextualizing data from various sources, such as network traffic, logs, feeds, reports, etc. Threat intelligence provides insights into the tactics, techniques, and procedures (TTPs) of adversaries, as well as their motivations, intentions, and capabilities. Threat intelligence can help organizations to detect, prevent, and respond to cyberattacks, as well as to improve their security posture and resilience12. The other options are not correct, because they are not terms for having information about threats and threat actors. Trusted automated exchange is a concept that refers to the sharing of threat intelligence among trusted entities in a timely and secure manner3. Indicators of Compromise (IoCs) are pieces of forensic data, such as IP addresses, domains, hashes, etc., that indicate a potential intrusion or compromise of a system or network. The Exploit Database is a public repository of exploits and vulnerable software, maintained by Offensive Security. References:

1: What is Cyber Threat Intelligence? - Cisco

2: Cisco Talos Intelligence Group - Comprehensive Threat Intelligence

3: Trusted Automated Exchange of Intelligence Information (TAXII™) Version 2.0

[4]: What Are Indicators of Compromise (IOCs)? - Cisco

[5]: The Exploit Database - Exploits for Penetration Testers, Researchers, and Ethical Hackers

 The error 403: Forbidden indicates that the web server denied access to the requested resource, which in this case is the PCAP file. One possible reason for this error is that the HTTPS server is not enabled for the device platform policy, which is a configuration that applies to the FTD devices managed by the FMC. The device platform policy defines the settings for the management interface, the SSH access, the SNMP, the NTP, the DNS, and the HTTPS server. The HTTPS server allows the FMC to access the FTD devices via HTTPS and perform tasks such as packet capture, packet tracer, and file transfer. If the HTTPS server is not enabled for the device platform policy, the FMC cannot access the PCAP file from the FTD device via HTTPS. Therefore, the engineer must enable the HTTPS server for the device platform policy in order to resolve this issue. To enable the HTTPS server for the device platform policy, the engineer must follow these steps:

Log in to the FMC web interface and navigate to Devices > Platform Settings.

Select the device platform policy that applies to the FTD device and click Edit.

In the General tab, check the Enable HTTPS Server checkbox and click Save.

Deploy the policy changes to the FTD device and wait for the deployment to complete.

Try to access the PCAP file again from the FMC web browser using the same address.

Alternatively, the engineer can also enable the HTTPS server for the FTD device from the FTD CLI using the command configure network https-server enable. However, this method is not recommended because it may cause a configuration conflict with the FMC123

References := 1: Use Firepower Threat Defense Captures and Packet Tracer - Cisco 2: Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.6 - Device Management Basics [Cisco Firepower NGFW] - Cisco 3: Cisco Firepower Threat Defense Command Reference - C through D Commands [Cisco Firepower NGFW] - Cisco

Explanation

The Stealthwatch Cloud Private Network Monitoring (PNM) Sensor is an extremely flexible piece of technology,

capable of being utilized in a number of different deployment scenarios. It can be deployed as a complete

Ubuntu based virtual appliance on different hypervisors (e.g. –VMware, VirtualBox). It can be deployed on

hardware running a number of different Linux-based operating systems.

 Installing the Cisco Umbrella root CA onto the user’s device is the action that accomplishes the goal of inspecting traffic without alerting end-users. This is because the root CA allows the user’s device to trust the certificates issued by the Cisco Umbrella intelligent proxy, which acts as a man-in-the-middle for SSL sites on Umbrella’s grey list. Without the root CA, the user’s browser would raise errors when accessing those sites, as it would detect an untrusted certificate. By installing the root CA, the user’s browser would accept the certificate and allow the traffic to be proxied and inspected by the intelligent proxy. References:

Enable SSL Decryption - Umbrella User Guide

SSL Decryption in the Intelligent Proxy – Cisco Umbrella

Cisco Umbrella Intelligent Proxy and SSL Decryption

Intelligent Proxy and SSL Decryption with Cisco Umbrella

Explanation

Ping of Death (PoD) is a type of Denial of Service (DoS) attack in which an attacker attempts to crash,

destabilize, or freeze the targeted computer or service by sending malformed or oversized packets using a simple ping command.

A correctly-formed ping packet is typically 56 bytes in size, or 64 bytes when the ICMP header is considered,

and 84 including Internet Protocol version 4 header. However, any IPv4 packet (including pings) may be as large as 65,535 bytes. Some computer systems were never designed to properly handle a ping packet larger than the maximum packet size because it violates the Internet Protocol documented

Like other large but well-formed packets, a ping of death is fragmented into groups of 8 octets before

transmission. However, when the target computer reassembles the malformed packet, a buffer overflow can occur, causing a system crash and potentially allowing the injection of malicious code.

The issue is that the engineer is using the wrong hashing algorithm to generate the hash for the custom detection policy. Cisco AMP for Endpoints requires the use of SHA-256 hashes for simple custom detections, as stated in the Configure a Simple Custom Detection List on the AMP for Endpoints Portal document. SHA-256 hashes are 64 hexadecimal characters long, while MD5 hashes are 32 hexadecimal characters long. Therefore, if the engineer tries to upload a hash created using MD5, the dashboard will indicate that the hash is not 64 characters and is non-zero, as shown in the image below:

To resolve the issue, the engineer should use a tool or a website that can generate SHA-256 hashes from files, such as this one, and upload the correct hash to the custom detection list. References : Configure a Simple Custom Detection List on the AMP for Endpoints Portal, Create an Advanced Custom Detection List in Cisco Secure Endpoint, Working with Advanced Malware Protection (AMP) for Endpoints

 The Cisco WSA supports mainly two authentication protocols: LDAP and NTLM. LDAP is a standard protocol for accessing directory services, such as Active Directory or OpenLDAP. NTLM is a proprietary protocol for authenticating Windows clients to Windows servers. NTLM has two versions: NTLMv1 and NTLMv2. NTLMSSP (NT LAN Manager Security Support Provider) is a variant of NTLMv2 that provides additional security features, such as message integrity and confidentiality. The Cisco WSA supports both LDAP and NTLMSSP using basic authentication, which requires the user to enter a username and password. The Cisco WSA also supports Kerberos, which is a network authentication protocol that uses tickets to authenticate users and services. Kerberos is based on symmetric-key cryptography and requires a trusted third party, called the Key Distribution Center (KDC), to issue and validate tickets. Kerberos is more secure and efficient than NTLM, as it does not require the user to enter credentials repeatedly and does not send passwords over the network. The Cisco WSA supports Kerberos only in standard mode, not in cloud connector mode. The Cisco WSA does not support TACACS+ or CHAP as authentication protocols. TACACS+ is a Cisco proprietary protocol for authenticating network devices and users to a central server. CHAP is a challenge-response protocol for authenticating PPP connections. These protocols are not designed for web security appliances and are not compatible with the Cisco WSA. References:

User Guide for AsyncOS 11.0 for Cisco Web Security Appliances (Section: Acquire End-User Credentials)

Cisco WSA Authentication

WSA Authentication

 Cisco Advanced Malware Protection (AMP) for Endpoints is a cloud-based solution that provides endpoint protection against malware and advanced threats. It can be deployed in different architectures depending on the customer’s needs and preferences. One of the deployment options is the private cloud, which is designed to keep data within a network perimeter. In this option, the customer hosts the AMP for Endpoints console and the AMP cloud on their own infrastructure, and the endpoints connect to the private cloud for analysis and policy enforcement. This option provides more control and privacy over the data, but also requires more resources and maintenance from the customer. The other deployment options are the public cloud, which uses the Cisco-hosted AMP cloud and console, and the hybrid cloud, which uses a combination of the public and private clouds123 References: 1: Protecting Against Malware Threats with Cisco AMP for Endpoints (SSFAMP) course overview 2: Cisco Secure Endpoint (Formerly AMP for Endpoints) - Cisco 3: Cisco Advanced Malware Protection for Endpoints - Zones

 To configure the Cisco ASA via ASDM for SNMPv3, the administrator needs to perform two main tasks: specify an SNMP user group and add an SNMP USM entry. An SNMP user group defines the access level and security model for a group of SNMP users. An SNMP USM entry defines the authentication and encryption parameters for a specific SNMP user. These two tasks are required for SNMPv3 because it uses a user-based security model (USM) that provides secure access to the MIB objects. SNMPv3 does not use a community string, which is a shared password used by SNMPv1 and SNMPv2c. The SNMP manager and UDP port are optional parameters that can be specified to customize the SNMP communication. The SNMP host access entry is also optional and can be used to restrict the access of SNMP hosts to specific interfaces or networks. References :=

Some possible references are:

SNMP Configuration, Verification and Troubleshooting on ASA

How to configure SNMP v3 on Cisco Switch, Router, ASA, Nexus

SNMP Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

Explanation

Explanation

+ Cisco Cloudlock continuously monitors cloud environments with a cloud Data Loss Prevention (DLP) engine

to identify sensitive information stored in cloud environments in violation of policy.

+ Cloudlock is API-based.

+ Incidents are a key resource in the Cisco Cloudlock application. They are triggered by the Cloudlock policy engine when a policy detection criteria result in a match in an object (document, field, folder, post, or file).

 To configure a flow-export action on a Cisco ASA, you need to use the flow-export event-type command and the policy-map command. The flow-export event-type command specifies the type of events that trigger the export of NetFlow Security Event Logging (NSEL) records to a collector. The policy-map command creates or modifies a policy map that can be applied to one or more interfaces to specify a service policy. A service policy consists of a traffic class and one or more actions to be applied to the traffic class. One of the actions can be a flow-export action that matches the NSEL events and sends them to a collector. The other commands are not required for configuring a flow-export action. The access-list command creates or modifies an access list that can be used to filter traffic or match traffic classes, but it is not mandatory for a flow-export action. The flow-export template timeout-rate command specifies how often the ASA sends the template to the collector, but it is not part of the flow-export action configuration. The access-group command applies an access list to an interface, but it is not related to the flow-export action. References:

Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6 - Configuring Network Secure Event Logging (NSEL)

Solved: Flow-Export problem - Cisco Community

How to configure NetFlow on Cisco ASA firewalls - Auvik Support

Configuring Cisco’s ASA for NSEL Export to the StealthWatch System

 The management port on Cisco FMC is used to establish a secure connection with the managed Cisco FTD devices. If the default management port (8305) conflicts with other communications on the network, it must be changed on both the Cisco FMC and the Cisco FTD devices. This cannot be done automatically by the Cisco FMC, as it would lose connectivity with the devices. Therefore, the administrator must manually change the management port on the Cisco FMC and all the managed Cisco FTD devices using the command line interface (CLI). The steps to change the management port are as follows:

Log into the CLI of the Cisco FMC and the Cisco FTD devices using a console connection or SSH.

Enter the configure network {ipv4 | ipv6} manual ip_address netmask data-interfaces command to change the management port on the Cisco FMC. For example, configure network ipv4 manual 10.10.10.10 255.255.255.0 data-interfaces changes the management port to 10.10.10.10/24.

Enter the configure network {ipv4 | ipv6} manual ip_address netmask gateway management-only command to change the management port on the Cisco FTD devices. For example, configure network ipv4 manual 10.10.10.11 255.255.255.0 10.10.10.10 management-only changes the management port to 10.10.10.11/24 and sets the gateway to the Cisco FMC’s management port.

Save the configuration and restart the Cisco FMC and the Cisco FTD devices.

Verify the connectivity between the Cisco FMC and the Cisco FTD devices using the show managers command on the Cisco FTD devices and the show devices command on the Cisco FMC.

References :=

Firepower Management Center Device Configuration Guide, 7.1 - Device Management

Change management port fmc 1600 - Cisco Community

Solved: FMC 2120 FTD Management Only Port - Cisco Community

Change the FMC Access Interface from Management to Data

 Microsegmentation is a method of securing multi cloud data centers using granular segmentation rules for the individual workload or application, reducing the risk of an attacker moving from one compromised workload or application to another1. Microsegmentation with Cisco ACI enables you to automatically assign endpoints to logical security zones called endpoint groups (EPGs). These EPGs are based on various network-based or virtual machine (VM)-based attributes2. Microsegmentation is also referred to as application segmentation or east-west segmentation in a multicloud data center1. References: 1: What Is Micro-Segmentation? - Cisco 2: Microsegmentation with Cisco ACI

the routing of traffic through the Cisco Umbrella network is to browse This URL will display a message that confirms whether the new network identity is working or not. If the message says “You’re protected by Cisco Umbrella”, then the traffic is being routed correctly. If the message says “You’re not using Cisco Umbrella”, then the traffic is not being routed correctly and the configuration needs to be checked. The other options are not valid actions to test the routing. Option A is incorrect because the client computers should point to the Cisco Umbrella DNS servers, not the on-premises DNS servers. Option B is incorrect because the Intelligent Proxy is a feature that selectively intercepts and proxies web requests for deeper inspection, not a tool to test the routing. Option C is incorrect because adding the public IP address to a Core Identity is a way to identify the network, not a way to test the routing. References:

How To: Successfully test to ensure you’re running Umbrella correctly

Add a Network Identity

Explanation

You can configure discovery rules to tailor the discovery of host and application data to your needs.

The Firepower System can use data from NetFlow exporters to generate connection and discovery events, and to add host and application data to the network map.

A network analysis policy governs how traffic is decoded and preprocessed so it can be further evaluated, especially for anomalous traffic that might signal an intrusion attempt -> Answer D is not correct.

Explanation

CoA Messages are sent on two different udp ports depending on the platform. Cisco standardizes on UDP port

1700, while the actual RFC calls out using UDP port 3799.

A next-generation endpoint security solution is a modern approach of combining user and system behavior analytics with AI and machine learning to provide endpoint security12. These solutions are specifically designed to detect unknown malware and zero-day threats, which other non-next-generation solutions might fail to detect3. Two key deliverables that help justify the implementation of a next-generation endpoint security solution are:

Continuous monitoring of all files that are located on connected endpoints. This feature allows the solution to scan and analyze all files on the endpoints, regardless of their origin or type, and identify any malicious or suspicious behavior. This helps to prevent malware from infecting the endpoints or spreading to other devices on the network4.

Real-time feeds from global threat intelligence centers. This feature enables the solution to leverage the latest information and insights from various sources, such as security researchers, vendors, and customers, to detect and block new and emerging threats. This helps to keep the endpoints updated and protected from the most advanced and sophisticated attacks5.

References := 1: Overview of next-generation protection in Microsoft Defender for Endpoint 2: What Is Next-Generation Endpoint Security? 2024 Ultimate Guide - SelectHub 3: [Next

 SNMPv3 is a security model that uses authentication and encryption to provide secure access to devices. SNMPv3 requires the configuration of SNMP groups, users, and views. SNMP groups define the security model, security level, and access rights for a set of users. SNMP users are members of SNMP groups and have passwords for authentication and encryption. SNMP views define the subset of the MIB tree that a group of users can access. To facilitate access to the SNMP views, the network administrator must map the SNMPv3 users to the SNMP views using the snmp-server group command with the v3 and view keywords. This command assigns a view to a group of users and specifies the security model and level for that group. For example, the following command maps the SNMPv3 users in the group admin to the view all using the authPriv security level:

snmp-server group admin v3 authPriv read all write all

This command allows the users in the group admin to access all the MIB objects in the view all using authentication and encryption. The other options are not correct because they are not related to the SNMP views. Option B is incorrect because the password for SNMPv3 authentication is configured for each user using the snmp-server user command with the auth keyword. Option C is incorrect because the encryption algorithm for SNMPv3 is also configured for each user using the snmp-server user command with the priv keyword. Option D is incorrect because the UDP port used by SNMP is not configurable and is always 161 for queries and 162 for traps. References :=

Some possible references for this question are:

SNMP Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) - SNMP Version 3

Configuration Template for SNMPv3 - Cisco Community

Configure ESXi for SNMP v3 - VMware Docs

How to Configure SNMPv3 and How It Works - CBT Nuggets

 SaaS stands for Software as a Service, which is a cloud service offering that allows customers to access a web application that is being hosted, managed, and maintained by a cloud service provider. SaaS applications are typically accessed through a web browser or a mobile app, and the customers do not need to install, update, or maintain any software or hardware on their own. SaaS applications can provide various benefits, such as lower upfront costs, faster deployment, scalability, and automatic updates. Some examples of SaaS applications are Gmail, Salesforce, Zoom, and Netflix123.

IaC stands for Infrastructure as Code, which is a method of provisioning and managing cloud resources using code or scripts, rather than manual processes or graphical user interfaces. IaC can help automate and standardize the deployment and configuration of cloud infrastructure, as well as improve consistency, reliability, and security. IaC is not a cloud service offering, but rather a technique or practice that can be used with different cloud service models, such as IaaS or PaaS45.

IaaS stands for Infrastructure as a Service, which is a cloud service offering that provides customers with access to virtualized computing resources, such as servers, storage, networks, and operating systems. IaaS customers can rent or lease these resources from a cloud service provider, and have full control over their configuration and management. IaaS customers are responsible for installing, updating, and maintaining their own applications and middleware on top of the cloud infrastructure. IaaS can provide various benefits, such as flexibility, scalability, cost-effectiveness, and security. Some examples of IaaS providers are Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform .

PaaS stands for Platform as a Service, which is a cloud service offering that provides customers with access to a cloud-based platform that includes the infrastructure, operating system, middleware, and development tools needed to build, deploy, and run applications. PaaS customers can focus on developing and running their own applications, without worrying about the underlying cloud infrastructure or software. PaaS can provide various benefits, such as faster development, scalability, compatibility, and security. Some examples of PaaS providers are Heroku, AWS Elastic Beanstalk, and Google App Engine .

References := 1: IaaS vs. PaaS vs. SaaS | IBM 2: What is SaaS? Software as a service explained | InfoWorld 3: SaaS - Software as a Service | Oracle 4: What is Infrastructure as Code (IaC)? | Red Hat 5: Infrastructure as Code (IaC) | AWS : What is IaaS? Infrastructure as a service explained | InfoWorld : IaaS - Infrastructure as a Service | Oracle : Cloud Computing Services | Google Cloud : What is PaaS? Platform as a service explained | InfoWorld : PaaS - Platform as a Service | Oracle : Cloud Services - Deploy Cloud Apps & APIs | Microsoft Azure

Explanation

Cisco Hybrid Email Security is a unique service offering that facilitates the deployment of your email security

infrastructure both on premises and in the cloud. You can change the number of on-premises versus cloud

users at any time throughout the term of your contract, assuming the total number of users does not change.

This allows for deployment flexibility as your organization’s needs change.

Explanation

Phishing attacks are the practice of sending fraudulent communications that appear to come from a reputable

source. It is usually done through email. The goal is to steal sensitive data like credit card and login information,

or to install malware on the victim’s machine.

Explanation

Obviously, if you allow all traffic to these risky domains, users might access malicious content, resulting in an infection or data leak. But if you block traffic, you can expect false positives, an increase in support inquiries, and thus, more headaches. By only proxying risky domains, the intelligent proxy delivers more granular visibility and control.

The intelligent proxy bridges the gap by allowing access to most known good sites without being proxied and only proxying those that pose a potential risk. The proxy then filters and blocks against specific URLs hosting malware while allowing access to everything else.

 Posture is a feature within Cisco ISE that verifies the compliance of an endpoint before providing access to the network. Posture assessment checks the state of the endpoint, such as the operating system, antivirus, firewall, patches, and so on, against the predefined policies. If the endpoint does not meet the policy requirements, it can be remediated by installing or updating the necessary software or configuration. Posture assessment can be done for both wired and wireless endpoints, as well as VPN clients. Posture assessment requires the installation of a posture agent on the endpoint, which communicates with the posture service on the ISE server. The posture agent can be either a persistent agent, which runs in the background and provides continuous assessment, or a temporal agent, which runs on-demand and is removed after the assessment is complete. Posture assessment can be integrated with 802.1X or web authentication methods for network access control. References :=

Some possible references are:

ISE Posture Prescriptive Deployment Guide

ISE Posture Deployment Best Practices and Considerations

Understanding ISE Posture Services

The command that results in these messages when attempting to troubleshoot an iPsec VPN connection is debug crypto isakmp. This command displays debug information about the Internet Key Exchange (IKE) protocol, which is used to establish security associations (SAs) for IPsec VPNs. The messages in the exhibit show various steps and statuses of the IKE negotiation process, such as creating and deleting peer structures, receiving and sending packets, and checking the compatibility of the security policies and proposals. The other commands are either invalid (debug crypto ipsec endpoint and debug crypto isakmp connection) or display different information (debug crypto ipsec shows the details of the IPsec encryption and decryption operations). References: 

Based on the configuration script in the image, the interface GigabitEthernet0/0/18 is configured for both 802.1X and MAB authentication. The command authentication port-control auto enables 802.1X authentication on the port, while the command dot1x pae authenticator enables the port to act as an authenticator. The command authentication host-mode multi-domain enables MAB authentication on the port, and allows two devices to be authenticated, one in the voice VLAN and one in the data VLAN. Therefore, when a device tries to connect to the port, the switch will first attempt 802.1X authentication, and if it fails, it will fall back to MAB authentication using the device’s MAC address. The switch will then contact the ISE server, which is configured as the RADIUS server group ise-group, to verify the device’s credentials and assign the appropriate access level based on the ISE policy. The ISE policy can also dynamically assign VLANs, ACLs, or service policies to the device based on its identity and posture. References :=

Some possible references are:

[Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0], Module 6: Secure Connectivity, Lesson 6.2: Implementing Site-to-Site VPNs, Topic 6.2.2: Group Encrypted Transport VPN

Cisco IOS Security Configuration Guide, Release 15M&T - Configuring IEEE 802.1x Port-Based Authentication

Cisco IOS Security Configuration Guide, Release 15M&T - Configuring MAC Authentication Bypass

Cisco Identity Services Engine Administrator Guide, Release 2.7 - Configure Wired 802.1X and MAB

A CoA request is a network protocol message used in the context of network access control and authentication systems. It is typically employed in scenarios where a user’s access privileges or attributes need to be modified during an active network session. CoA requests are commonly used in conjunction with the RADIUS protocol, which is widely used for managing user authentication and authorization in network environments. When a CoA request is initiated, it is sent by a network access server (NAS) to a RADIUS server to request a change in the user’s authorization state or attributes. The CoA request contains information specifying the desired change, such as granting additional access privileges, revoking existing privileges, modifying session parameters, or updating user attributes. The RADIUS server processes the CoA request and applies the necessary changes to the user’s session in real-time, allowing dynamic adjustments to the user’s authorization and network access. CoA requests are often utilized in scenarios where an administrator needs to promptly update a user’s access rights without requiring them to terminate their current session. This flexibility is particularly valuable in environments that demand fine-grained access control or where access privileges need to be adjusted based on changing circumstances or policies. References :=

Some possible references for this answer are:

RADIUS Change of Authorization - Cisco

What is a CoA Request? - Portnox

RADIUS Change of Authorization: Explained - Cloud RADIUS

 The destination command is required to complete the flow record and specify the IP address of the Stealthwatch collector that will receive the NetFlow data. The transport udp 2055 command is also needed, but it is part of the flow exporter configuration, not the flow record. The match ipv4 ttl and cache timeout active 60 commands are optional and can be used to customize the flow record, but they are not mandatory. The flow record defines the fields that are collected and exported for each flow, such as source and destination IP addresses, ports, protocols, etc. The flow exporter defines the destination, source, transport protocol, and port for sending the NetFlow data. The flow monitor binds the flow record and the flow exporter together and applies them to an interface. The following is an example of a complete NetFlow configuration for sending data to Stealthwatch:

flow exporter EXPORTER description Export NetFlow to Stealthwatch destination 1.1.1.1 export-protocol netflow-v9 source Vlan100 transport udp 2055 ! flow record RECORD description NetFlow record match datalink mac source address input match datalink mac destination address input match datalink vlan input match ipv4 ttl match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input collect interface output collect counter bytes long collect counter packets long collect timestamp absolute first collect timestamp absolute last ! flow monitor IPv4_NETFLOW record RECORD exporter EXPORTER cache timeout active 60 ! interface <> ip flow monitor IPv4_NETFLOW input ! References : Configuring and Troubleshooting NetFlow for Stealthwatch, Cisco NetFlow Configuration, Building a Better Monitoring Solution with Flexible Netflow

Active Directory (AD) is an ID store that requires that a shadow user be created on Cisco ISE for the admin login to work. A shadow user is a user account that is defined in the ISE internal database, but has the password set to external. This means that the user authentication is performed against an external identity source, such as AD, while the user authorization is based on the ISE admin group membership. A shadow user is useful when the admin wants to assign different roles or permissions to specific AD users, rather than using AD groups. To create a shadow user, the admin must check the External checkbox in the ISE admin user configuration, and make sure that the username matches the AD username. The shadow user must also be assigned to an ISE admin group that has the Type set to External123. References := 1: ISE Admin User Shadow AD Account Issue 2: ISE Admin user authentication from AD 3: Which ID store requires that a shadow user be created on Cisco ISE for the admin login to work?

Cisco CloudLock is a cloud-native cloud access security broker (CASB) that helps you move to the cloud safely. It protects your cloud users, data, and apps. CloudLock’s simple, open, and automated approach uses APIs to manage the risks in your cloud app ecosystem. With CloudLock you can more easily combat data breaches while meeting compliance regulations1.

Cisco CloudLock provides the following features that meet the requirements of visibility into data transfers as well as protection against data exfiltration:

User security: Cloudlock uses advanced machine learning algorithms to detect anomalies based on multiple factors. It also identifies activities outside allowed countries and spots actions that seem to take place at impossible speeds across distances1.

Data security: Cloudlock’s data loss prevention (DLP) technology continuously monitors cloud environments to detect and secure sensitive information. It provides countless out-of-the-box policies as well as highly tunable custom policies. It also supports inline and out-of-band data inspection and blocking capabilities to protect sensitive data12.

App security: The Cloudlock Apps Firewall discovers and controls cloud apps connected to your corporate environment. You can see a crowd-sourced Community Trust Rating for individual apps, and you can ban or allowlist them based on risk1.

The other solutions do not provide the same level of visibility and protection as Cisco CloudLock:

Cisco Umbrella is a cloud-delivered network security service that provides DNS-layer security, secure web gateway, cloud-delivered firewall, cloud access security broker, and threat intelligence3. It does not offer data security features such as DLP, data inspection, and data blocking4.

Cisco AppDynamics Cloud Monitoring is a cloud-native application performance management solution that helps you monitor, troubleshoot, and optimize your cloud applications. It does not offer user security, data security, or app security features as a CASB solution.

Cisco Stealthwatch is a network traffic analysis solution that provides visibility and threat detection across your network, endpoints, and cloud. It does not offer data security features such as DLP, data inspection, and data blocking.

 3: Cisco Umbrella Packages - Cisco Umbrella 1: Cisco Cloudlock - Cisco 2: Cisco Cloudlock Cisco Cloudlock: Secure Cloud Data 4: Easy to Deploy & Simple to Manage CASB Solution - Cisco Umbrella : Cisco AppDynamics Cloud Monitoring : Cisco Stealthwatch - Cisco

Explanation

The call to API of allows us to fetch list of computers across your

organization that Advanced Malware Protection (AMP) sees

Explanation

Explanation

The traditional use of the pull model, where the client requests data from the network does not scale when what you want is near real-time data. Moreover, in some use cases, there is the need to be notified only when some data changes, like interfaces status, protocol neighbors change etc.

Model-Driven Telemetry is a new approach for network monitoring in which data is streamed from network devices continuously using a push model and provides near real-time access to operational statistics.

Applications can subscribe to specific data items they need, by using standard-based YANG data models over NETCONF-YANG. Cisco IOS XE streaming telemetry allows to push data off of the device to an external collector at a much higher frequency, more efficiently, as well as data on-change streaming.

Explanation

Phishing is a form of social engineering. Phishing attacks use email or malicious web sites to solicit personal,

often financial, information. Attackers may send email seemingly from a reputable credit card company or

financial institution that requests account information, often suggesting that there is a problem.

To migrate a Cisco WSA virtual appliance from one physical host to another physical host by using VMware vMotion, both hosts must have access to the same defined network. This is because vMotion preserves the network identity and connections of the virtual machine, and requires that the source and destination hosts have compatible CPUs and shared storage1. The hosts do not need to run the same or different versions of Cisco AsyncOS, as long as they meet the minimum requirements for the virtual appliance2. The hosts do not need to use a different datastore than the virtual appliance, as vMotion can migrate virtual machines across datastores as well3. References: 1: VMware vMotion: Live Migration of Virtual Machines and Storage 2: Cisco Secure Web Appliance Virtual - Cisco 3: Migrating to Virtual SMA from Physical - Cisco Community

 The RADIUS CoA feature supports five IETF attributes as defined in RFC 5176. These are:

Event-Timestamp: This attribute indicates the time when the CoA request was generated by the server.

State: This attribute contains a value that is copied from the Access-Accept message that authorized the session.

Session-Timeout: This attribute specifies the maximum number of seconds of service provided to the user before termination of the session or prompt.

Idle-Timeout: This attribute specifies the maximum number of consecutive seconds of idle connection allowed to the user before termination of the session or prompt.

Filter-Id: This attribute identifies the filter list to be applied to the user session.

The RADIUS CoA feature also supports vendor-specific attributes (VSAs) that are defined by Cisco or other vendors. These VSAs can be used to perform additional actions such as port shutdown, port bounce, or security and password accounting. References :=

Some possible references are:

RFC 5176: This document describes the dynamic authorization extensions to RADIUS, including the CoA request and response codes, and the supported IETF attributes.

RADIUS Change of Authorization - Cisco: This document provides the configuration guide for the RADIUS CoA feature on Cisco IOS devices, including the supported IETF and Cisco VSAs.

Supported IETF attributes in RFC 5176 - Ruckus Networks: This document lists the supported IETF attributes and error clause values for the RADIUS CoA feature on Ruckus devices.

V

A PAC file, or proxy auto-configuration file, is a script that tells the web browser how to use a proxy server for different URLs. A PAC file can be hosted on a web server or on the WSA itself, and can be deployed to the client web browser manually or automatically. A WSA HTTP proxy configuration with a PAC file is defined as an explicit proxy deployment, because the client web browser is aware of the proxy and sends requests to it directly. This is different from a transparent proxy deployment, where the client web browser is unaware of the proxy and the requests are redirected to it by a network device such as a router or a firewall. A bridge proxy deployment is a type of transparent proxy deployment where the WSA acts as a layer 2 bridge between two network segments and intercepts the traffic passing through it. A PAC file is not used in a bridge proxy deployment. In a dual-NIC configuration, the WSA has two network interfaces, one for the client-side network and one for the server-side network. The PAC file does not direct traffic through the two NICs to the proxy, but rather tells the client web browser to send requests to the proxy’s IP address and port number. The WSA then forwards the requests to the server-side network through the other NIC. Therefore, option B is incorrect. References :=

Some possible references are:

1: What is a Proxy Pac file and are there any examples? - Cisco

2: What is a PAC file and where is it located on WSA? - Cisco

3: [WSA Training Series] How to configure the HTTPS Proxy on the Cisco Web Security Appliance

4: Proxy Auto-Configuration (PAC) file

5: Use proxy auto-configuration (.pac) files with IEAK 11

AES (Advanced Encryption Standard) is a symmetric encryption algorithm that uses the same key to encrypt and decrypt data. It turns plain text into a code that only the intended recipient can read. AES has different key sizes, such as 128, 192, and 256 bits. The larger the key size, the more secure and complex the encryption is. AES 256 is the most secure encryption algorithm for VPN communications, as it uses a 256-bit key that would take an enormous amount of time and computing power to crack. AES 256 is widely used by VPN providers, as it offers a high level of security and performance for VPN tunnels. AES 256 is also recommended by the U.S. government for protecting classified information. References :=

How Does a VPN Securely Encrypt Your Connection?

What Is VPN Encryption, Types, Protocols And Algorithms Explained

What is AES (Advanced Encryption Standard)?

What is VPN Encryption & How Does it Work?

A Cisco Umbrella virtual appliance (VA) is a lightweight virtual machine that acts as a DNS forwarder in your network. It forwards internal DNS queries to Umbrella and provides Umbrella with the internal IP address and hostname of the device that made the request. This allows Umbrella to apply policies and report on traffic based on the subnet, hostname, or user identity of the device1. The other options are not relevant for this scenario. Tenant control features are used to limit access to specific instances of cloud applications, such as Microsoft 365 or Google G Suite2. The Microsoft Active Directory Connector is used to provision users and groups from Active Directory to Umbrella, not to provide IP address information3. An internal domain is a domain that is resolved by your own DNS server, not by Umbrella, and is used to bypass Umbrella for domains that are only accessible within your network4. References:

1: Deploy Virtual Appliances - Umbrella User Guide

2: Manage Tenant Controls - Umbrella SIG User Guide

3: Connect Active Directory to Umbrella to Provision User and Groups

4: Domain Management - Umbrella User Guide

Using an Internet browser to access cloud-based service creates the risk of insecure implementation of API. API stands for Application Programming Interface, which is a set of rules and protocols that allow different applications or services to communicate and exchange data. API is often used to access cloud-based service, such as software as a service (SaaS), platform as a service (PaaS), or infrastructure as a service (IaaS). However, if the API is not implemented securely, it can expose sensitive data or allow unauthorized access to the cloud service. For example, an API may not use encryption, authentication, or authorization mechanisms to protect the data in transit or at rest. An API may also have vulnerabilities such as injection, broken authentication, or insufficient logging and monitoring, which can be exploited by attackers to compromise the cloud service or the user’s browser. Therefore, it is important to follow the best practices and standards for secure API development and testing, such as OWASP API Security Top 10. References:

1: Implementing and Operating Cisco Security Core Technologies (SCOR) - Cisco

2: 350-701 SCOR - Cisco

3: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0

4: 12 Cloud Security Issues: Risks, Threats & Challenges - CrowdStrike

5: 12 Risks, Threats, & Vulnerabilities in Moving to the Cloud - SEI Blog

6: Remote Browser Isolation Protects Users from Threats - Cisco Umbrella

7: Which risk is created when using an Internet browser to access cloud-based service?

8: Browser in the Cloud: The Evolution of Secure Browsing - Leostream

[9]: OWASP API Security Top 10 2023

 The Decrypt for Application Detection feature within the WSA Decryption options enhances the ability of AsyncOS to detect HTTPS applications. The HTTPS Proxy can decrypt HTTPS connections to web applications. This allows the Application Visibility and Control (AVC) engine to more accurately detect and block web applications that use HTTPS. This feature can help improve the security and performance of the network by identifying and controlling the usage of web applications that may consume bandwidth, pose security risks, or violate compliance policies.

DNS-layer security is a method of protecting users from cyberthreats by blocking malicious or risky domains before a connection is established. Cisco Umbrella is a cloud-based service that provides DNS-layer security by using Cisco Talos threat intelligence to filter DNS requests and prevent access to malicious domains. Cisco Umbrella also offers other security features, such as web filtering, cloud-delivered firewall, secure web gateway, and cloud access security broker. Cisco Umbrella can protect users on and off the corporate network, regardless of their location or device. Cisco Umbrella is compatible with other Cisco security solutions, such as Cisco ISE, Cisco FTD, and Cisco ASA, but it is the only one that offers DNS-layer security as a core capability. References:

What Is DNS Security? How Does It Work? - Cisco Umbrella

Why Umbrella DNS Security? - Cisco Umbrella

Explanation

Cloud computing can be broken into the following three basic models:

+ Infrastructure as a Service (IaaS): IaaS describes a cloud solution where you are renting infrastructure. You purchase virtual power to execute your software as needed. This is much like running a virtual server on your own equipment, except you are now running a virtual server on a virtual disk. This model is similar to a utility company model because you pay for what you use.

+ Platform as a Service (PaaS): PaaS provides everything except applications. Services provided by this

model include all phases of the system development life cycle (SDLC) and can use application programming interfaces (APIs), website portals, or gateway software. These solutions tend to be proprietary, which can cause problems if the customer moves away from the provider’s platform.

+ Software as a Service (SaaS): SaaS is designed to provide a complete packaged solution. The software is rented out to the user. The service is usually provided through some type of front end or web portal. While the end user is free to use the service from anywhere, the company pays a peruse fee.

Explanation

A trusted CA is the only entity that can issue trusted digital certificates. This is extremely important because while PKI manages more of the encryption side of these certificates, authentication is vital to understanding which entities own what keys. Without a trusted CA, anyone can issue their own keys, authentication goes out the window and chaos ensues.

PFS stands for Perfect Forward Secrecy, which is a property of some cryptographic protocols that ensures that the compromise of a long-term key does not affect the security of past or future sessions. PFS provides the highest level of protection against brute-force attacks, because even if an attacker manages to break the long-term key, they cannot decrypt the previous or subsequent communications that use different session keys. PFS is achieved by using ephemeral or temporary keys that are derived from a Diffie-Hellman key exchange, and are not based on the long-term key. Therefore, each session has a unique and independent key that is not stored or reused. PFS is supported by some protocols such as TLS, SSH, and IPsec123. References := 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 4: Securing Networks with Cisco Firepower Next Generation IPS, Lesson 4.1: Deploying Cisco Firepower Next-Generation IPS, Topic 4.1.2: Cisco Firepower NGIPS Device Management 2: What is Perfect Forward Secrecy? | Baeldung on Computer Science4 3: Perfect Forward Secrecy - an overview | ScienceDirect Topics5

The WCCP-configured router identifies if the Cisco WSA is functional by exchanging periodic messages with the WSA. The WSA sends a Here-I-Am message every 10 seconds to the router, which contains information such as the WSA’s IP address, service group, and hash assignment. The router responds with an I-See-You message, which acknowledges the receipt of the Here-I-Am message and provides information such as the router’s IP address, service group, and view of the WCCP topology. These messages allow the router and the WSA to maintain a bidirectional communication and to detect any changes or failures in the WCCP network12.

Option C is the correct answer, as it describes the correct message exchange between the WCCP-configured router and the Cisco WSA. Option A is incorrect, as the router does not use ICMP ping to check the WSA’s functionality, and the traffic is not transmitted to the router, but redirected by the router. Option B is incorrect, as the router does not use ICMP ping to check the WSA’s functionality, and the traffic is not transmitted to the WSA, but redirected by the WSA. Option D is incorrect, as the router does not send a Here-I-Am message, but an I-See-You message, and the WSA does not acknowledge with an I-See-You message, but a Here-I-Am message. References: WCCP Router Configuration Example - Cisco. Cisco ASA WCCP Traffic Redirection Guide - Cisco.

Cisco AMP for Endpoints is a solution that enables protection, detection, and response on the endpoint against known and unknown threats. It provides continuous visibility and analysis of endpoint activity, as well as automated threat prevention and response capabilities. It leverages cloud-based intelligence, sandboxing, and machine learning to block malware, fileless attacks, ransomware, and other advanced threats. It also allows security teams to quickly investigate and remediate incidents, as well as hunt for indicators of compromise across all endpoints. Cisco AMP for Endpoints is part of the Cisco SecureX platform, which integrates with other Cisco security solutions to provide a unified and simplified security experience. The other options are not correct because they do not offer the same level of endpoint protection, detection, and response as Cisco AMP for Endpoints. Cisco AnyConnect is a VPN solution that provides secure access to the network for remote workers, but it does not monitor or respond to endpoint threats. Cisco Umbrella is a DNS security solution that blocks malicious domains, IPs, and URLs, but it does not analyze or remediate endpoint activity. Cisco Duo is a multi-factor authentication solution that verifies the identity of users and devices, but it does not protect or detect endpoint attacks. References :=

Some possible references are:

Cisco AMP for Endpoints

Cisco SecureX

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 - Module 5: Endpoint Protection and Detection

 Multifactor authentication (MFA) is a solution that requires the user to provide two or more verification factors to gain access to a resource, such as an application, online account, or a VPN. MFA is more secure than the traditional use of a username and password because it reduces the risk of identity theft, phishing, and credential compromise. MFA can use different types of factors, such as something the user knows (e.g., password, PIN), something the user has (e.g., smartphone, token, smart card), or something the user is (e.g., fingerprint, facial recognition). MFA can be implemented using various methods, such as security defaults, Conditional Access policies, or third-party solutions123. References:

the interface configuration. MAB stands for MAC Authentication Bypass, which is a feature that allows devices that do not support 802.1X, such as printers and video cameras, to bypass the authentication process and gain network access based on their MAC addresses1. By adding mab to the interface configuration, the Cisco ISE administrator can enable MAB as a fallback method after 802.1X fails or times out. This way, the devices that support 802.1X can use their machine certificate credentials, while the devices that do not support 802.1X can use their MAC addresses to authenticate with Cisco ISE2. The other options are not correct because they either compromise the security controls or do not address the problem. Changing the default policy in Cisco ISE to allow all devices not using machine authentication would weaken the security posture and expose the network to unauthorized access. Enabling insecure protocols within Cisco ISE in the allowed protocols configuration would also reduce the security level and increase the risk of attacks. Configuring authentication event fail retry 2 action authorize vlan 41 on the interface would only apply to the devices that fail authentication twice, and would not solve the issue for the devices that do not support 802.1X at all3. References:

1: MAC Authentication Bypass Deployment Guide

2: Configuring MAC Authentication Bypass

3: Cisco Identity Services Engine Administrator Guide, Release 3.1 - Segmentation

To create an access control list (ACL) on a Cisco Adaptive Security Appliance (ASA) firewall, you need to use the access-list command followed by the name of the ACL, the action (permit or deny), the protocol, the source address and mask, and the destination address and mask. For example, to permit HTTP traffic from the inside network 192.168.1.0/24 to any destination on the internet, you can use this command:

access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq www

This command creates an ACL named inside_access_in that permits TCP traffic from the source network 192.168.1.0/24 to any destination with the destination port equal to 80 (www). The eq keyword is used to specify the port number or name. You can also use the range keyword to specify a range of ports.

To apply the ACL to an interface, you need to use the access-group command followed by the name of the ACL and the direction (in or out). For example, to apply the ACL to the inside interface in the inbound direction, you can use this command:

access-group inside_access_in in interface inside

This command applies the ACL inside_access_in to the interface named inside in the inbound direction. This means that the ACL will filter the traffic that enters the firewall through the inside interface.

Option D is the only option that matches the syntax of the access-list command for the ASA firewall. Option A is incorrect because it uses the ip keyword instead of the tcp keyword. Option B is incorrect because it uses the any keyword for both the source and destination addresses. Option C is incorrect because it uses the host keyword for the source address, which is not valid for a network address.

The process in DevSecOps where all changes in the central code repository are merged and synchronized is called Continuous Integration (CI). CI is a practice that aims to improve the quality and speed of software development by automating the building, testing, and integration of code changes. CI enables developers to collaborate more effectively and detect errors early in the development cycle. CI also helps to ensure that the code in the repository is always in a deployable state and conforms to the security and quality standards123. References: 1: Implementing and Operating Cisco Security Core Technologies (SCOR) course, Module 5: Secure Network Access, Identity Management, and Visibility, Lesson 5.1: Introducing DevSecOps 2: DevSecOps code process - AT&T4 3: Building a DevSecOps Culture - from a Technical Perspective5

To implement external authentication against Active Directory, the Cisco ISE server needs to communicate with the domain controller using either RADIUS or LDAP protocols. RADIUS is used for network access control, while LDAP is used for identity management and directory services. Both protocols require the appropriate ports to be opened and firewall rules to be configured to allow the traffic between the ISE server and the domain controller.

The ISE account does not need to be a domain administrator in Active Directory to perform JOIN operations. It only needs to have the permissions to create computer objects and reset passwords in the domain. This can be achieved by delegating the rights to a specific OU or using a service account with limited privileges.

Active Directory supports user and machine authentication by using various methods, not only MSCHAPv2. MSCHAPv2 is a challenge-response authentication protocol that is commonly used with RADIUS and VPN connections. However, Active Directory also supports other protocols such as Kerberos, NTLM, EAP, and PEAP, depending on the scenario and the client capabilities.

 Firepower NGIPS inline deployment mode is a mode where the NGIPS device is placed in the traffic path and can take actions such as blocking, modifying, or redirecting traffic based on the policies and rules. In this mode, the NGIPS device must have inline interface pairs configured, which are pairs of physical or logical interfaces that act as a single logical interface. The inline interface pairs are connected to the network devices on both sides of the NGIPS device, and the traffic flows through the NGIPS device from one interface to the other. The NGIPS device can inspect and modify the traffic as it passes through the inline interface pairs12. References := 1: Firepower Management Center Configuration Guide, Version 6.6 - Device Management Basics 2: Configure FTD Interfaces in Inline-Pair Mode

Workload security models refer to the ways of protecting applications, services, and capabilities that run on a cloud resource. There are different types of cloud deployment models, such as public, private, hybrid, and multicloud, and different types of cloud service models, such as IaaS, PaaS, and SaaS. However, these are not workload security models, but rather ways of describing the cloud environment and the level of abstraction. Workload security models are more focused on the location and ownership of the workloads, and how they are secured. The two main workload security models are off-premises and on-premises. Off-premises workload security model means that the workloads are hosted and managed by a third-party cloud service provider, such as AWS, Azure, or GCP. The cloud service provider is responsible for the security of the underlying infrastructure, such as the physical servers, network devices, storage systems, and hypervisors. The customer is responsible for the security of the workloads themselves, such as the guest operating systems, applications, data, and users. The customer can use various tools and techniques to secure their workloads, such as encryption, firewalls, identity and access management, vulnerability scanning, and logging and monitoring. On-premises workload security model means that the workloads are hosted and managed by the customer on their own data center or private cloud. The customer is responsible for the security of both the infrastructure and the workloads, and has full control and visibility over them. The customer can use similar tools and techniques as the off-premises model, but also has to deal with the physical security, network security, and compliance requirements of their own environment. References:

What Is Workload Security? On-Premises, Cloud, Kubernetes, and More

What is Cloud Workload Security? - CyberArk

What is Cloud Workload Protection? | Workload Security | VMware

What is Cloud Workload Security? - Check Point Software

Introduction To Classic Security Models - GeeksforGeeks

Group Encrypted Transport VPN (GET VPN) is used to implement secure VPN connectivity among company branches over a private IP cloud with any-to-any scalable connectivity. GET VPN provides a way to encrypt traffic between sites without the need for point-to-point tunnels, supporting efficient, scalable, and secure communication across a broad network infrastructure.

Explanation

In its essence, FlexVPN is the same as DMVPN. Connections between devices are still point-to-point GRE tunnels, spoke-to-spoke connectivity is still achieved with NHRP redirect message, IOS routers even run the same NHRP code for both DMVPN and FlexVPN, which also means that both are Cisco’s proprietary technologies.

Explanation

Private Network Monitoring (PNM) provides visibility and threat detection for the on-premises network, delivered from the cloud as a SaaS solution. It is the perfect solution for organizations who prefer SaaS products and desire better awareness and security in their on-premises environments while reducing capital expenditure and

operational overhead. It works by deploying lightweight software in a virtual machine or server that can

consume a variety of native sources of telemetry or extract metadata from network packet flow. It encrypts this metadata and sends it to the Stealthwatch Cloud analytics platform for analysis. Stealthwatch Cloud consumes metadata only. The packet payloads are never retained or transferred outside the network.

This lab focuses on how to configure a Stealthwatch Cloud Private Network Monitoring (PNM) Sensor, in order to provide visibility and effectively identify active threats, and monitors user and device behavior within onpremises networks.

The Stealthwatch Cloud PNM Sensor is an extremely flexible piece of technology, capable of being utilized in a number of different deployment scenarios. It can be deployed as a complete Ubuntu based virtual appliance on different hypervisors (e.g. –VMware, VirtualBox). It can be deployed on hardware running a number of different Linux-based operating systems.

 PAC files are scripts that tell web browsers how to use proxies on the network. They use if-else statements to determine whether to use a proxy or a direct connection for traffic between the PC and the host, based on criteria such as the destination URL, the source IP address, or the network subnet12. The WSA can host PAC files on port 9001 by default, and this port can be changed in the PAC file hosting settings2. If the WSA host port is changed, the default port does not redirect web traffic to the correct port automatically; the browser needs to point to the new port in the PAC file URL2. The WSA does not host PAC files on port 6001 by default2. PAC files do not direct traffic through a proxy when the PC and the host are on the same subnet by default; this behavior depends on the PAC file logic12. References:

PAC file format

PAC file hosting on WSA

To connect Cisco Secure Workload to external orchestrators at a client site where incoming connections are not allowed, a reverse tunnel must be used. A reverse tunnel initiates the connection from the inside of the client's network out to the external orchestrator, thereby bypassing restrictions on incoming connections and enabling secure communication.

AES encryption is a symmetric block cipher algorithm that uses a single key to encrypt and decrypt data. It is more secure than 3DES, which is an older and slower algorithm that encrypts and decrypts a key three times in sequence. AES can use different key sizes, such as 128, 192, or 256 bits, depending on the security level required. The longer the key, the more rounds of encryption and decryption are performed, making it harder to break. AES encryption is based on a substitution-permutation network, which consists of a series of operations that transform the input data into the output data using the key. References :=

The WSA uses a root certificate and a private key to decrypt HTTPS traffic. The root certificate must reside in the trusted store of the WSA, and it must be able to sign server certificates on the fly. The server certificates that the WSA generates must contain a SAN (Subject Alternative Name) field, which specifies the hostnames or IP addresses that the certificate is valid for. The SAN field is required by modern browsers and applications to verify the identity of the server. If the WSA does not include a SAN field in the server certificate, the browser or application may reject the connection or display a warning message.

The other options are not correct because:

A. The current date is not a criterion for the WSA to use a certificate to decrypt application traffic. The WSA checks the validity period of the certificate, which includes the start date and the end date. The current date must be within the validity period, but it does not have to be the same as the start date or the end date.

C. The root certificate that the WSA uses to decrypt HTTPS traffic does not have to reside in the trusted store of the endpoint. However, the endpoint must trust the root certificate in order to accept the server certificate that the WSA generates. This can be achieved by manually installing the root certificate on the endpoint, or by using a group policy or a certificate management system to distribute the root certificate to the endpoints.

D. The root certificate that the WSA uses to decrypt HTTPS traffic does not have to be signed by an internal CA. The WSA can generate its own self-signed root certificate, or it can use a root certificate that is signed by an external CA. However, the root certificate must be trusted by the endpoints, as explained in option C.

References := : WSA Certificate Usage for HTTPS Decryption : [User Guide for AsyncOS 12.0 for Cisco Web Security Appliances - GD (General Deployment) - Create Decryption Policies to Control HTTPS Traffic]

 Cl/CD pipelining is a method of software development that aims to deliver software faster and more reliably by automating the process of integrating, testing, and deploying code changes. Cl stands for continuous integration, which means that every code change is merged into a shared repository and verified by automated tests. CD stands for continuous delivery, which means that the code is always in a deployable state and can be released to production environments with minimal human intervention. Cl/CD pipelining enables developers to collaborate more effectively, detect and fix errors earlier, and deliver value to customers more frequently. Cl/CD pipelining is a key practice of DevOps, a culture and set of processes that bridge the gap between development and operations teams. References: 

Flood attacks are a type of denial-of-service (DoS) attacks that aim to saturate the bandwidth or resources of a target by sending a large number of packets or requests. Flood attacks can be classified into different categories based on the protocol or layer they target, such as ICMP, UDP, TCP SYN, HTTP, DNS, etc. Flood attacks can also be distributed (DDoS) if they involve multiple sources of attack traffic, such as compromised devices or servers123. References := 1: Denial of Service - OWASP Cheat Sheet Series 2: What is a denial-of-service (DoS) attack? | Cloudflare 3: Types of DOS attacks - GeeksforGeeks

The cloud security shared responsibility model is a way of describing how the security tasks and obligations are divided between the cloud service provider (CSP) and the customer, depending on the type of cloud service model used. The cloud service models are:

Software as a Service (SaaS): The CSP provides and manages the entire software stack, including the applications, data, runtime, middleware, operating system, virtualization, servers, storage, and networking. The customer only needs to access the software through a web browser or an application. The customer is responsible for managing their own data and identities, as well as configuring the security settings of the software. The CSP is responsible for everything else, including patching the operating system and the applications12

Platform as a Service (PaaS): The CSP provides and manages the platform layer, including the runtime, middleware, operating system, virtualization, servers, storage, and networking. The customer can deploy and run their own applications and data on the platform, using the tools and languages supported by the CSP. The customer is responsible for managing their own applications and data, as well as configuring the security settings of the platform. The CSP is responsible for patching the operating system and the middleware12

Infrastructure as a Service (IaaS): The CSP provides and manages the infrastructure layer, including the virtualization, servers, storage, and networking. The customer can provision and use virtual machines, containers, or bare metal servers, and install their own operating system, middleware, applications, and data. The customer is responsible for managing and patching their own operating system, middleware, applications, and data, as well as configuring the security settings of the infrastructure. The CSP is responsible for the physical security and availability of the infrastructure12

References := 1: Shared responsibility in the cloud - Microsoft Azure 2: Cloud security shared responsibility model - NCSC

DNS tunneling is a technique that exploits the DNS protocol to tunnel malware and other data through a client-server model. DNS tunneling can be used for data exfiltration, command and control, or IP-over-DNS tunneling. DNS tunneling works by encoding the information of other protocols or programs in DNS queries and responses. An attacker registers a domain, such as badsite.com, and sets up a malicious DNS server that can interpret the encoded data. The attacker then infects a client with malware that can send and receive DNS queries to the attacker’s domain. The malware can use DNS queries to request commands from the attacker, or to send sensitive data to the attacker. The DNS queries and responses look like normal DNS traffic, but they contain hidden data that can bypass network defenses123. References := 1: What Is DNS Tunneling? - Palo Alto Networks 2: What is DNS Tunneling? - Check Point Software 3: What Is DNS Tunneling and How to Detect and Prevent Attacks

Explanation

Prevalence allows you to view files that have been executed in your deployment.

Note: Threat Root Cause shows how malware is getting onto your computers.

Explanation

The Cisco Umbrella Multi-Org console has the ability to upload, store, and archive traffic activity logs from your organizations’ Umbrella dashboards to the cloud through Amazon S3. CSV formatted Umbrella logs are compressed (gzip) and uploaded every ten minutes so that there’s a minimum of delay between traffic from the organization’s Umbrella dashboard being logged and then being available to download from an S3 bucket.

By having your organizations’ logs uploaded to an S3 bucket, you can then download logs automatically to keep in perpetuity in backup storage.

Cisco ESA uses a multilayer approach to fight viruses and malware. The first layer of defense consists of outbreak filters, which the appliance downloads from Cisco SenderBase. Outbreak filters use global threat intelligence and behavioral analysis to identify and block emerging threats before they reach the network. The second layer of defense consists of antivirus engines, which scan the message body and attachments for known viruses and malware. Cisco ESA supports multiple antivirus engines, such as Sophos, McAfee, and Cisco AMP. The Sophos engine is one of the default engines that Cisco ESA uses, along with McAfee. The Sophos engine provides fast and accurate detection of viruses and malware, and updates its signatures frequently. The other options are not features that are used to configure Cisco ESA with a multilayer approach to fight viruses and malware. A white list is a list of trusted senders or recipients that are exempt from spam or virus filtering. RAT is the Recipient Access Table, which is used to determine whether the appliance accepts or rejects messages to a recipient address. DLP is Data Loss Prevention, which is used to prevent sensitive or confidential data from leaving the network. References :=

Email Security Using Cisco ESA

Demystifying Cisco ESA HAT, RAT Tables and Deployment Types

Email Security Deployment Guide - Cisco

Explanation

Explanation

A teardrop attack is a denial-of-service (DoS) attack that involves sending fragmented packets to a target

machine. Since the machine receiving such packets cannot reassemble them due to a bug in TCP/IP

fragmentation reassembly, the packets overlap one another, crashing the target network device. This generally happens on older operating systems such as Windows 3.1x, Windows 95, Windows NT and versions of the Linux kernel prior to 2.1.63.

FlexVPN and DMVPN are both Cisco technologies that use point-to-point GRE tunnels to create dynamic VPN networks. However, they differ in some aspects, such as:

FlexVPN is a newer solution that requires newer hardware and IOS versions, while DMVPN is more widely supported on older devices1.

FlexVPN is based on IKEv2, which is a more robust and efficient protocol than IKEv1, which is used by DMVPN (although DMVPN can also use IKEv2)2.

FlexVPN uses static or virtual access interfaces for GRE tunnels, while DMVPN uses a single multipoint GRE interface. This allows more flexibility and visibility for FlexVPN tunnels2.

FlexVPN does not require NHRP registration for spokes to communicate with the hub, while DMVPN does. This simplifies the configuration and reduces the overhead of NHRP3.

FlexVPN has only one standard mode of operation, while DMVPN has three phases with different characteristics and configurations2.

References := 1: what is the difference between dmvpn and flexvpn 2: Cisco FlexVPN DMVPN, Part 1 - Overview and Design 3: DMVPN to FlexVPN Soft Migration Configuration Example

The access control rule in the exhibit has the following characteristics:

The rule name is DMZ_Rule and it is enabled.

The action set for this rule is Trust, meaning traffic matching this rule will not be subjected to further inspection.

The source zones are not specified, meaning any zone can match this rule.

The destination zone is DMZ_Inside, meaning only traffic destined to this zone can match this rule.

Therefore, the effect of this rule is that all traffic from any zone to the DMZ_Inside zone will be permitted with no further inspection. This is the correct answer, option A.

The other options are incorrect because they do not match the configuration of the rule or the behavior of the Trust action. Option B is incorrect because traffic will be allowed through to the DMZ_Inside zone, not blocked. Option C is incorrect because traffic will not be inspected before being allowed to the DMZ_Inside zone. Option D is incorrect because traffic does not need to be trusted to be allowed to the DMZ_Inside zone. References:

Firepower Management Center Configuration Guide, Version 6.6 - Access Control Rules

Firepower Management Center Device Configuration Guide, 7.1 - Access Control Policies

How to Deploy FMC/FTD part 2 – Access Control Policies

The RAT (Recipient Access Table) is the list that contains the allowed recipient addresses on the Cisco ESA. The RAT controls whether the ESA accepts or rejects messages to a recipient address based on the sender group and the mail policy. The RAT can be configured to allow, relay, or reject messages to specific recipients or domains. The RAT can also be used to apply different message filters or content filters to different recipient groups12. References: 1: Implementing and Operating Cisco Security Core Technologies (SCOR) course, Module 2: Network Security, Lesson 3: Deploying Cisco Email Security Appliance, Topic: Configuring Mail Policies2: Cisco Email Security Appliance User Guide, Release 13.5 - Configuring Mail Policies [Cisco Secure Email Gateway] - Cisco.

Using a company-managed Amazon S3 bucket for Cisco Umbrella logs allows the administrator to have full control over the access and lifecycle of the log data. This configuration can grant third-party SIEM integrations write access to the S3 bucket, which can enable more advanced analysis and correlation of the log data with other sources. This configuration also provides more flexibility in terms of how long the data can be stored offline, as opposed to the Cisco-managed S3 bucket, which has a fixed retention period of 30 days. References:

Enable Logging to Your Own S3 Bucket

Centralized Umbrella Log Management with Amazon’s S3 service for MSP, MSSP, and Multi-org customers

The FMC and managed devices communicate using a two-way, SSL-encrypted communication channel, which by default is on port 8305.

Cisco strongly recommends that you keep the default settings for the remote management port, but if the

management port conflicts with other communications on your network, you can choose a different port. If you change the management port, you must change it for all devices in your deployment that need to communicate with each other.

Explanation

Explanation

Security Intelligence Sources

…

Custom Block lists or feeds (or objects or groups)

Block specific IP addresses, URLs, or domain names using a manually-created list or feed (for IP addresses,

you can also use network objects or groups.)

For example, if you become aware of malicious sites or addresses that are not yet blocked by a feed, add these

sites to a custom Security Intelligence list and add this custom list to the Block list in the Security Intelligence

tab of your access control policy.

Explanation

Each of the ASAs interfaces need to be grouped into one or more bridge groups. Each of these groups acts as an independent transparent firewall. It is not possible for one bridge group to communicate with another bridge group without assistance from an external router.

As of 8.4(1) upto 8 bridge groups are supported with 2-4 interface in each group. Prior to this only one bridge group was supported and only 2 interfaces.

Up to 4 interfaces are permitted per bridge–group (inside, outside, DMZ1, DMZ2)

Network telemetry is the collection, measurement, and analysis of data related to the behavior and performance of a network1. It involves gathering information about routers, switches, servers, and applications to gain insights into how they function and how data moves through them. To correlate different sources of network telemetry data, it is important to enable Network Time Protocol (NTP) across all network infrastructure devices. NTP is a protocol that synchronizes the clocks of network devices to a common reference time source2. This ensures that the network telemetry data has consistent timestamps and can be compared and correlated accurately. NTP also helps with troubleshooting network issues, as it allows network administrators to pinpoint the exact time of events and anomalies. NTP is a core security technology that is covered in the Implementing and Operating Cisco Security Core Technologies (SCOR) course3, which helps you prepare for the Cisco CCNP Security and CCIE Security certifications and for senior-level security roles. References: 1: Network Telemetry Explained: Frameworks, Applications & Standards - Splunk 2: [Network Time Protocol (NTP) - Cisco] 3: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0

Explanation

Cisco Hybrid Email Security is a unique service offering that combines a cloud-based email security deployment

with an appliance-based email security deployment (on premises) to provide maximum choice and control for

your organization. The cloud-based infrastructure is typically used for inbound email cleansing, while the onpremises appliances provide granular control – protecting sensitive information with data loss

prevention (DLP) and encryption technologies.

Configure a Crypto ISAKMP Key

In order to configure a preshared authentication key, enter the crypto isakmp key command in global configuration mode:

crypto isakmp key cisco123 address 172.16.1.1

It is a bad practice but it is valid. 172.16.0.0/16 the full range will be accepted as possible PEER

Testing without a netmask shows that command interpretation has a preference for /16 and /24. CSR-1(config)#crypto isakmp key cisco123 address 172.16.0.0

CSR-1(config)#do show crypto isakmp key | i cisco

default 172.16.0.0 [255.255.0.0] cisco123

CSR-1(config)#no crypto isakmp key cisco123 address 172.16.0.0

CSR-1(config)#crypto isakmp key cisco123 address 172.16.1.0

CSR-1(config)#do show crypto isakmp key | i cisco

default 172.16.1.0 [255.255.255.0] cisco123

CSR-1(config)#no crypto isakmp key cisco123 address 172.16.1.0

CSR-1(config)#crypto isakmp key cisco123 address 172.16.1.128

CSR-1(config)#do show crypto isakmp key | i cisco default 172.16.1.128 cisco123

CSR-1(config)#

The API key is a secret token that is used to authenticate the client to the server. It is functionally equivalent to a username and password, and should be treated as such. The API key is passed as part of the HTTP header in the request, using the Authorization: Basic scheme. The API key is combined with the client ID and encoded in base64 format. For example, if the client ID is d16aff14860af496e848 and the API key is d01ed435-b00d-4a4d-a299-1806ac117e72, the HTTP header would look like this:

Authorization: Basic ZDE2YWZmMTQ4NjBhZjQ5NmU4NDg6ZDAxZWQ0MzUtYjAwZC00YTRkLWEyOTktMTgwNmFjMTE3ZTcy

The server then decodes the header and verifies the credentials. If the credentials are valid, the server grants access to the requested resource. If the credentials are invalid, the server returns an HTTP 401 Unauthorized error.

The API key performs the function of HTTP authentication, which is the process of verifying the identity of the client. HTTP authentication is different from HTTP authorization, which is the process of determining the permissions of the client. HTTP authorization is based on the scope of the API credential, which can be either read-only or read & write. The scope determines what actions the client can perform on the Cisco AMP for Endpoints data.

Importing requests is not a function of the API key, but rather a Python module that allows sending HTTP requests. Playing dent ID is not a meaningful term in this context. Therefore, the correct answer is C. References:

Secure Endpoint API - Cisco DevNet

Overview of the Cisco AMP for Endpoints API - Cisco

Configure AMP for Endpoints Event Stream Feature - Cisco

Explanation

The appliance will try once to upload the file; if upload is not successful, for example because of

connectivity problems, the file may not be uploaded. If the failure was because the file analysis server was overloaded, the upload will be attempted once more.

Explanation

Because MAB uses the MAC address as a username and password, you should make sure that the RADIUS server can differentiate MAB requests from other types of requests for network access. This precaution will prevent other clients from attempting to use a MAC address as a valid credential. Cisco switches uniquely

identify MAB requests by setting Attribute 6 (Service-Type) to 10 (Call-Check) in a MAB Access-Request

message. Therefore, you can use Attribute 6 to filter MAB requests at the RADIUS server.

L2TP and GRE are both tunneling protocols that can be used to create site-to-site VPNs. However, they have some differences in how they encapsulate and transport data. L2TP is a layer 2 protocol that uses IP packet encapsulation to carry PPP frames over an IP network. L2TP does not add any additional header to the IP packet, but relies on IPsec to provide encryption and authentication. GRE is a layer 3 protocol that adds its own header to the IP packet, which contains information such as the protocol type, checksum, and key. GRE can be used to carry any type of payload over an IP network, not just PPP frames. GRE also requires IPsec to provide security for the tunnel. Therefore, the correct answer is C, because GRE over IPsec adds its own header, and L2TP does not1234 References := 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 - Module 5: Secure Connectivity 2: What is the difference between L2TP vs GRE 3: GRE over IPSec vs L2TP over IPSEC 4: difference between L2TP/GRE/MPLS

Phishing attacks are a type of social engineering that aim to trick users into revealing their personal or financial information, or installing malware on their devices. To control phishing attacks, users and organizations need to implement various preventive and reactive measures, such as:

Enable browser alerts for fraudulent websites. Most modern browsers have built-in features that can warn users when they visit a website that is suspected of being malicious or impersonating a legitimate entity. These alerts can help users avoid falling for phishing scams that use fake web pages to capture their credentials or other sensitive data. For example, Google Chrome has a Safe Browsing feature that displays a red warning page when users try to access a deceptive site. Users should always pay attention to these alerts and avoid proceeding to untrusted sites.

Implement email filtering techniques. Email is one of the most common channels for phishing attacks, as attackers can send spoofed messages that appear to come from trusted sources, such as banks, government agencies, or colleagues. Email filtering techniques can help block or flag suspicious emails based on various criteria, such as the sender’s address, the subject line, the content, or the attachments. For example, Microsoft Outlook has a Junk Email Filter that can move potential phishing emails to a separate folder or delete them automatically. Users should also be careful not to open or reply to any unsolicited or unexpected emails, especially those that ask for personal or financial information, or contain links or attachments.

Other mechanisms that can help control phishing attacks include:

Use strong passwords and enable two-factor authentication. Even if users fall victim to phishing attacks and reveal their passwords, they can still protect their accounts by using strong and unique passwords for each service, and enabling two-factor authentication (2FA) whenever possible. 2FA adds an extra layer of security by requiring users to enter a code or a token that is sent to their phone or email, or generated by an app, in addition to their password. This way, even if attackers obtain the password, they cannot access the account without the second factor.

Don’t ignore update messages. Users should always keep their operating systems, browsers, and applications updated with the latest security patches and fixes. These updates can help prevent phishing attacks that exploit known vulnerabilities or bugs in the software. Users should also use antivirus and antispyware software that can detect and remove malware that may be installed by phishing attacks.

Exercise caution when opening emails or clicking on links. Users should always be skeptical and vigilant when they receive emails or messages that ask them to take urgent or unusual actions, such as verifying their account, updating their payment information, or downloading a file. Users should also check the sender’s address, the spelling and grammar, and the URL of any links before clicking on them. Users can hover over the link to see the actual destination, or use a link scanner tool, such as VirusTotal, to check if the link is malicious or not.

References :=

1:

Explanation

Explanation

As the new device does not have a supplicant, we cannot use 802.1X.

MAC Authentication Bypass (MAB) is a fallback option for devices that don’t support 802.1x. It is virtually

always used in deployments in some way shape or form. MAB works by having the authenticator take the

connecting device’s MAC address and send it to the authentication server as its username and password. The authentication server will check its policies and send back an Access-Accept or Access-Reject just like it would with 802.1x.

Cisco ISE Profiling Services provides dynamic detection and classification of endpoints connected to the

network. Using MAC addresses as the unique identifier, ISE collects various attributes for each network

endpoint to build an internal endpoint database. The classification process matches the collected attributes to prebuilt or user-defined conditions, which are then correlated to an extensive library of profiles. These profiles include a wide range of device types, including mobile clients (iPads, Android tablets, Chromebooks, and so

on), desktop operating systems (for example, Windows, Mac OS X, Linux, and others), and numerous non-user systems such as printers, phones, cameras, and game consoles.

Once classified, endpoints can be authorized to the network and granted access based on their profile. For example, endpoints that match the IP phone profile can be placed into a voice VLAN using MAC Authentication Bypass (MAB) as the authentication method. Another example is to provide differentiated network access to users based on the device used. For example, employees can get full access when accessing the network from their corporate workstation but be granted limited network access when accessing the network from their personal iPhone.

Cisco ISE is a platform that can onboard the endpoint and can issue a CA signed certificate while also automatically configuring endpoint network settings to use the signed endpoint certificate, allowing the endpoint to gain network access. Cisco ISE has an internal CA service that can validate and sign certificate requests from endpoints, generate and store keys and certificates, and provide an OCSP responder to check the validity of certificates. Cisco ISE also supports Enrollment over Secure Transport (EST), which is a protocol that allows endpoints to securely enroll with a CA and obtain certificates. Cisco ISE can use EST to provision certificates to endpoints and configure their network settings to use EAP-TLS authentication. Cisco ISE can also use BYOD workflows to onboard endpoints and issue certificates to them. References:

Understand ISE Internal Certificate Authority Services

Endpoint On-boarding using Internal ISE CA

Cisco ISE BYOD Prescriptive Deployment Guide

Microsegmentation is a technique that divides a network into smaller segments or zones, each with its own security policies and controls. This helps to isolate and protect workloads and applications from each other, and limit the lateral movement of threats within the network. Microsegmentation can be applied to different platforms and environments, such as virtual machines, containers, cloud services, and endpoints. Microsegmentation can also improve the visibility and enforcement of network traffic, as well as the performance and scalability of security solutions.

In the context of applications or containers on the same node, microsegmentation can limit the communication between them by enforcing granular policies based on attributes such as identity, context, and behavior. For example, microsegmentation can restrict which ports, protocols, or services are allowed for each application or container, and block any unauthorized or malicious traffic. Microsegmentation can also prevent the exposure of sensitive data or resources to other applications or containers on the same node, or to external attackers who may compromise one of them.

Container orchestration, microservicing, and Software-Defined Access are not directly related to limiting the communication between applications or containers on the same node. Container orchestration is a process of managing the lifecycle, deployment, and scaling of containers across a cluster of nodes. Microservicing is an architectural style of developing applications as a collection of loosely coupled, independent, and modular services. Software-Defined Access is a network architecture that abstracts the network infrastructure from the network policies, and enables consistent and secure access to any application or service across any domain. References:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 5: Securing the Cloud, Lesson 5.1: Describing Cloud Computing and Deployment Models, Topic 5.1.4: Microsegmentation

What Is Micro-Segmentation? - Cisco

Communicating With Docker Containers on the Same Machine - Baeldung on Ops

 Cisco Container Platform (CCP) is a solution that simplifies the deployment and management of containerized applications across multiple clouds. It provides the following benefits to customers who utilize cloud service providers12:

Allows developers to create code once and deploy to multiple clouds. CCP is based on open source components, such as Kubernetes and Docker, that are compatible with various cloud platforms. This enables developers to write code once and run it anywhere, without worrying about the underlying infrastructure or vendor lock-in. CCP also supports hybrid and multicloud scenarios, allowing customers to leverage the best features of different cloud providers and optimize their costs and performance.

Manages Kubernetes clusters. CCP automates the installation, configuration, and maintenance of Kubernetes clusters, which are groups of nodes that run containerized applications. CCP provides a simple GUI-driven menu system to deploy clusters, as well as automated monthly updates for bug fixes, feature enhancements, and security patches. CCP also offers a choice of networking solutions, such as Cisco ACI, Calico, or Contiv, to connect and secure the clusters. CCP also integrates with Cisco AppDynamics and Prometheus for visibility and monitoring of the clusters and applications. References:

Cisco Container Platform - Cisco

Cisco Container Platform - At-a-Glance - Cisco

Configuring the IEEE 802.1X Flexible Authentication feature to support Layer 3 authentication mechanisms involves adding MAC Authentication Bypass (MAB) into the switch configuration. This allows devices that do not support 802.1X to be authenticated using their MAC address. Once MAB identifies the device, it can then be redirected to a Layer 3 device for further authentication, thus providing a mechanism to support devices requiring Layer 3 authentication methods.

Explanation

SSL Decryption is an important part of the Umbrella Intelligent Proxy. he feature allows the Intelligent Proxy to go beyond simply inspecting normal URLs and actually proxy and inspect traffic that’s sent over HTTPS. The SSL Decryption feature does require the root certificate be installed.

A Simple Custom Detection List is a feature of Cisco AMP for Endpoints that allows administrators to create a list of SHA-256 hashes of files that they want to detect, block, and quarantine on their endpoints. The list can be applied to a policy and the connectors will synchronize with the latest changes. However, the list only works with the exact SHA-256 hashes that are provided, and it does not detect any variations or modifications of the files. Therefore, if the malicious file abc428565580xyz.exe has been altered in any way, such as by changing its name, size, or content, the Simple Custom Detection List will not be able to recognize it as a threat. To ensure detection of the malicious file, the administrator must upload the SHA-256 hash of the current version of the file to the Simple Custom Detection List, or use another method that can detect file variations, such as an Advanced Custom Detection List or Cisco Threat Grid. References :=

Some possible references are:

Configure a Simple Custom Detection List on the AMP for Endpoints Portal

Create an Advanced Custom Detection List in Cisco Secure Endpoint

[Cisco AMP for Endpoints User Guide]

Explanation

Compared to RSA, the prevalent public-key cryptography of the Internet today, Elliptic Curve Cryptography (ECC) offers smaller key sizes, faster computation,as well as memory, energy and bandwidth savings and is thus better suited forsmall devices.

Cisco Stealthwatch - rapidly collects and analyzes netflow and telementy data to deliver in-depth visibility and understanding of network traffic

Cisco ISE – obtains contextual identity and profiles for all users and device

Cisco TrustSec – software defined segmentation that uses SGTs

Cisco Umbrella – secure internet gateway ion the cloud that provides a security solution