350-701 Exam Dumps - Cisco CCNP Security Questions and Answers

DHCP option 82 is a feature that allows the network access device (NAD) to insert additional information into the DHCP request packet from the endpoint. This information can include the switch ID, port number, VLAN ID, and other attributes that can help Cisco ISE to identify and profile the endpoint. Cisco ISE can use DHCP option 82 to assign the endpoint to the appropriate identity group, policy, and authorization profile. DHCP option 82 is also useful to prevent rogue DHCP servers from assigning IP addresses to endpoints, as Cisco ISE can verify the legitimacy of the DHCP request based on the option 82 data. To use DHCP option 82, the NAD must be configured to enable this feature and send the option 82 data to Cisco ISE. Cisco ISE must also be configured to accept and parse the option 82 data from the NAD. For more details on how to configure DHCP option 82 on Cisco ISE and NAD, see the references below. References:

Configuring the DHCP Probe

Securing Your Network From DHCP Risks

Can we use ISE as DHCP/DNS server to prevent guest traffic using …

Cisco Stealthwatch is a network security and visibility platform that provides an agentless solution to monitor network traffic and detect threats, including those in encrypted traffic. Stealthwatch uses Encrypted Traffic Analytics (ETA), a technology that leverages network telemetry and machine learning to identify malicious patterns and behaviors in encrypted traffic without decryption. ETA can also assess the cryptographic strength and compliance of the encryption protocols used in the network. Stealthwatch integrates with other Cisco security products, such as Cisco Identity Services Engine (ISE) and Cisco Advanced Malware Protection (AMP), to provide contextual information and threat intelligence for faster and more effective response. Stealthwatch is the only Cisco platform that offers ETA as a solution to provide visibility across the network, including encrypted traffic analytics, to detect malware in encrypted traffic without the need for decryption. References :=

Some possible references are:

Cisco Secure Network Analytics (Stealthwatch) - Cisco, Cisco

Encrypted Traffic Analytics > Security | Cisco Press, Cisco Press

Solutions - Encrypted Traffic Analytics with the New Cisco Network and Secure Network Analytics At-a-Glance - Cisco, Cisco

Cisco Encrypted Traffic Analytics White Paper, Cisco

When a Cisco WSA receives a web request, it evaluates it against the policies in the policy table. Each policy type has a predefined, global policy, which maintains default actions for that policy type. If the web request does not match any user-defined policy, the WSA applies the global policy. The global policy can be configured to allow, block, or redirect the web request based on various criteria. The global policy acts as a catch-all policy for any web request that is not explicitly handled by a user-defined policy. References :=

User Guide for AsyncOS 11.0 for Cisco Web Security Appliances - Create Policies to Control Internet Requests

User Guide for AsyncOS 12.7 for Cisco Web Security Appliances - LD (Limited Deployment) - Acquire End-User Credentials

ETHOS is one of the many detection engines that AMP uses to continuously protect you from malware. It is only available in the public cloud, as it requires a large amount of data and processing power to operate. ETHOS uses machine learning to analyze the behavior and characteristics of files and determine their maliciousness. It can detect both known and unknown threats, as well as polymorphic and metamorphic malware that can change their appearance or code. ETHOS is part of the AMP cloud’s dynamic analysis capabilities, which also include SPERO and Threat Grid12.

The private cloud instance of AMP does not have ETHOS, as it is meant to be an on-premises, self-contained solution that satisfies stringent privacy requirements. The private cloud instance also does not have SPERO or Threat Grid, unless they are deployed separately as additional appliances. The private cloud instance relies on the TETRA detection engine, which is a signature-based engine that can identify known malware. TETRA is updated regularly with new signatures from the AMP cloud, but it cannot detect unknown or zero-day threats as effectively as ETHOS34.

Therefore, the capability that is exclusive to the AMP public cloud instance as compared to the private cloud instance is the ETHOS detection engine. References: 1: Cisco Advanced Malware Protection Private Cloud Appliance Data Sheet 2: What is AMP Private Cloud 3: Deploy Cisco AMP Private Cloud on Cisco HyperFlex Systems 4: AMP Private Cloud vs Public Cloud Dashboard different

Explanation

Phishing is a form of social engineering. Phishing attacks use email or malicious web sites to solicit personal,

often financial, information. Attackers may send email seemingly from a reputable credit card company or

financial institution that requests account information, often suggesting that there is a problem.

 Microsegmentation is a method of securing multi cloud data centers using granular segmentation rules for the individual workload or application, reducing the risk of an attacker moving from one compromised workload or application to another1. Microsegmentation with Cisco ACI enables you to automatically assign endpoints to logical security zones called endpoint groups (EPGs). These EPGs are based on various network-based or virtual machine (VM)-based attributes2. Microsegmentation is also referred to as application segmentation or east-west segmentation in a multicloud data center1. References: 1: What Is Micro-Segmentation? - Cisco 2: Microsegmentation with Cisco ACI

Explanation

Explanation

A certificate signing request (CSR) is one of the first steps towards getting your own SSL Certificate. Generated on the same server you plan to install the certificate on, the CSR contains information (e.g. common name, organization, country) that the Certificate Authority (CA) will use to create your certificate. It also contains the public key that will be included in your certificate and is signed with the corresponding private key

Explanation

DNS Tunneling is a method of cyber attack that encodes the data of other programs or protocols in DNS

queries and responses. DNS tunneling often includes data payloads that can be added to an attacked DNS

server and used to control a remote server and applications.

 The RADIUS CoA feature supports five IETF attributes as defined in RFC 5176. These are:

Event-Timestamp: This attribute indicates the time when the CoA request was generated by the server.

State: This attribute contains a value that is copied from the Access-Accept message that authorized the session.

Session-Timeout: This attribute specifies the maximum number of seconds of service provided to the user before termination of the session or prompt.

Idle-Timeout: This attribute specifies the maximum number of consecutive seconds of idle connection allowed to the user before termination of the session or prompt.

Filter-Id: This attribute identifies the filter list to be applied to the user session.

The RADIUS CoA feature also supports vendor-specific attributes (VSAs) that are defined by Cisco or other vendors. These VSAs can be used to perform additional actions such as port shutdown, port bounce, or security and password accounting. References :=

Some possible references are:

RFC 5176: This document describes the dynamic authorization extensions to RADIUS, including the CoA request and response codes, and the supported IETF attributes.

RADIUS Change of Authorization - Cisco: This document provides the configuration guide for the RADIUS CoA feature on Cisco IOS devices, including the supported IETF and Cisco VSAs.

Supported IETF attributes in RFC 5176 - Ruckus Networks: This document lists the supported IETF attributes and error clause values for the RADIUS CoA feature on Ruckus devices.

V

The WSA uses a root certificate and a private key to decrypt HTTPS traffic. The root certificate must reside in the trusted store of the WSA, and it must be able to sign server certificates on the fly. The server certificates that the WSA generates must contain a SAN (Subject Alternative Name) field, which specifies the hostnames or IP addresses that the certificate is valid for. The SAN field is required by modern browsers and applications to verify the identity of the server. If the WSA does not include a SAN field in the server certificate, the browser or application may reject the connection or display a warning message.

The other options are not correct because:

A. The current date is not a criterion for the WSA to use a certificate to decrypt application traffic. The WSA checks the validity period of the certificate, which includes the start date and the end date. The current date must be within the validity period, but it does not have to be the same as the start date or the end date.

C. The root certificate that the WSA uses to decrypt HTTPS traffic does not have to reside in the trusted store of the endpoint. However, the endpoint must trust the root certificate in order to accept the server certificate that the WSA generates. This can be achieved by manually installing the root certificate on the endpoint, or by using a group policy or a certificate management system to distribute the root certificate to the endpoints.

D. The root certificate that the WSA uses to decrypt HTTPS traffic does not have to be signed by an internal CA. The WSA can generate its own self-signed root certificate, or it can use a root certificate that is signed by an external CA. However, the root certificate must be trusted by the endpoints, as explained in option C.

References := : WSA Certificate Usage for HTTPS Decryption : [User Guide for AsyncOS 12.0 for Cisco Web Security Appliances - GD (General Deployment) - Create Decryption Policies to Control HTTPS Traffic]

 The destination command is required to complete the flow record and specify the IP address of the Stealthwatch collector that will receive the NetFlow data. The transport udp 2055 command is also needed, but it is part of the flow exporter configuration, not the flow record. The match ipv4 ttl and cache timeout active 60 commands are optional and can be used to customize the flow record, but they are not mandatory. The flow record defines the fields that are collected and exported for each flow, such as source and destination IP addresses, ports, protocols, etc. The flow exporter defines the destination, source, transport protocol, and port for sending the NetFlow data. The flow monitor binds the flow record and the flow exporter together and applies them to an interface. The following is an example of a complete NetFlow configuration for sending data to Stealthwatch:

flow exporter EXPORTER description Export NetFlow to Stealthwatch destination 1.1.1.1 export-protocol netflow-v9 source Vlan100 transport udp 2055 ! flow record RECORD description NetFlow record match datalink mac source address input match datalink mac destination address input match datalink vlan input match ipv4 ttl match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input collect interface output collect counter bytes long collect counter packets long collect timestamp absolute first collect timestamp absolute last ! flow monitor IPv4_NETFLOW record RECORD exporter EXPORTER cache timeout active 60 ! interface <> ip flow monitor IPv4_NETFLOW input ! References : Configuring and Troubleshooting NetFlow for Stealthwatch, Cisco NetFlow Configuration, Building a Better Monitoring Solution with Flexible Netflow

Cisco FTDv in AWS can be deployed in two different deployment models: single-instance and cluster. In both models, the FTDv can be configured in routed mode and managed by either an FMCv installed in AWS or a physical FMC appliance on premises. The FTDv can also use Geneve encapsulation for traffic interfaces to support AWS Gateway Load Balancer (GWLB) integration. The following table summarizes the supported deployment model configurations for FTDv in AWS:

Table

Deployment Model

Management Mode

Traffic Mode

Geneve Encapsulation

Single-instance

FMCv in AWS

Routed

Optional

Single-instance

FMC on premises

Routed

Optional

Cluster

FMCv in AWS

Routed

Required

Cluster

FMC on premises

Routed

Required

References :=

Deploy the Threat Defense Virtual on AWS - Cisco

Deploy a Threat Defense Virtual Cluster on AWS - Cisco

Configure Geneve Interfaces in Secure FTDv - Cisco

Deployment of Cisco Secure FTDv and FMCv instances in AWS - Terraform

Solved: FTD virtual appliance in AWS - Cisco Community