350-701 Exam Dumps - Cisco CCNP Security Questions and Answers

Cisco Stealthwatch is a security solution that uses NetFlow to provide visibility across the network, data center, branch offices, and cloud. NetFlow is a protocol that collects and exports statistics on network traffic flows from routers, switches, firewalls, and other devices. NetFlow data can be used to monitor network performance, troubleshoot issues, detect anomalies, and identify security threats. Cisco Stealthwatch analyzes NetFlow data from various sources and correlates it with other contextual information, such as identity, device, location, and threat intelligence. Cisco Stealthwatch then applies advanced behavioral analytics and machine learning to detect and respond to malicious activities, such as data exfiltration, malware infection, insider threats, and denial-of-service attacks. Cisco Stealthwatch also provides comprehensive network visibility and security across hybrid environments, including public cloud, private cloud, and on-premises networks. Cisco Stealthwatch can integrate with other Cisco security solutions, such as Cisco Identity Services Engine (ISE), Cisco Firepower, Cisco Umbrella, and Cisco Advanced Malware Protection (AMP), to enhance network security and incident response capabilities. References:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 8: Cloud and Virtual Network Security, Lesson 8.2: Cisco Stealthwatch Cloud

Cisco Stealthwatch

NetFlow for Cybersecurity and Incident Response

B

To block all subdomains of domain.com, the administrator should configure the domain.com address in the block list. This is because Umbrella automatically applies a left side and right side wildcard to every domain in a block or allow destination list. Therefore, adding domain.com to a block list will result in requests to domain.com or its subdomains, such as www.domain.com, being blocked. Adding a wildcard character (*) is not supported and will not work. Adding the *.com address in the block list will block all domains that end with .com, which is not the desired outcome. References:

Understanding Destination lists supported entries and error messages

Wildcards and Destination Lists

Explanation

The syntax of this command is: flow-export destination interface-name ipv4-address | hostname udp-port

This command is used on Cisco ASA to configure Network Secure Event Logging (NSEL) collector to which

NetFlow packets are sent. The destination keyword indicates that a NSEL collector is being configured.

+ The interface-name argument is the name of the ASA and ASA Services Module interface through which the

collector is reached.

+ The ipv4-address argument is the IP address of the machine running the collector application.

+ The hostname argument is the destination IP address or name of the collector.

+ The udp-port argument is the UDP port number to which NetFlow packets are sent.

You can configure a maximum of five collectors. After a collector is configured, template records are

automatically sent to all configured NSEL collectors.

Explanation

Explanation

You can also monitor on-premises networks in your organizations using Cisco Stealthwatch Cloud. In order to do so, you need to deploy at least one Cisco Stealthwatch Cloud Sensor appliance (virtual or physical appliance).

Explanation

The Version 1 format was the initially released version. Do not use the Version 1 format unless you are using a legacy collection system that requires it. Use Version 9 or Version 5 export format.

Version 5 export format is suitable only for the main cache; it cannot be expanded to support new features.

Version 8 export format is available only for aggregation caches; it cannot be expanded to support new

features.

WannaCry ransomware is a type of malware that encrypts the files on the infected devices and demands a ransom for their decryption. It exploits a vulnerability in the Windows SMB protocol that allows remote code execution. To prevent WannaCry ransomware from spreading to all clients, IT should take the following precautions:

Ensure that noncompliant endpoints are segmented off to contain any potential damage. This means that any device that is not patched, managed, or compliant with the security policies should be isolated from the rest of the network and given limited access to resources. This can be done using Cisco Identity Services Engine (ISE) and Cisco TrustSec, which can enforce dynamic segmentation based on the device’s identity, posture, and context. This way, IT can prevent the ransomware from infecting other devices and reduce the impact of the attack12

Perform a posture check to allow only network access to those Windows devices that are already patched. This means that IT should verify that the devices have installed the latest security updates from Microsoft that fix the SMB vulnerability. This can be done using Cisco AnyConnect Secure Mobility Client, which offers a VPN Posture/HostScan Module and an ISE Posture Module. Both modules can assess the endpoint’s compliance for things like operating system, patches, antivirus, antispyware, and firewall software. If the device is not patched, it can be denied access to the network or redirected to a remediation portal13

 1: Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.0 - Configure Posture 2: Can We Trust Your Device? Checking Security Posture - Cisco 3: Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.10 - Configure Posture

Cisco CWS eliminates the need to backhaul traffic through headquarters for remote workers whereas Cisco WSA does not. Cisco CWS is a cloud-based web security service that provides comprehensive protection against web-based threats for users anywhere, on any device1. Cisco WSA is an on-premises web security appliance that provides web filtering, malware scanning, data loss prevention, and other features for users within the network perimeter2. One of the benefits of using Cisco CWS over Cisco WSA is that it eliminates the need to backhaul traffic through headquarters for remote workers, which can reduce bandwidth costs, latency, and complexity3. Remote workers can connect directly to the nearest Cisco CWS data center and receive the same level of web security as if they were in the office. Cisco WSA, on the other hand, requires remote workers to use a VPN or proxy to route their web traffic through the headquarters, which can affect their performance and user experience. References:

1: Cisco Cloud Web Security Data Sheet

2: Cisco Secure Web Appliance Data Sheet

3: Cisco Cloud Web Security: Comprehensive Defense, Advanced Threat Protection, and Superior Flexibility for Your Business

: Cisco Cloud Web Security: How It Works

: Cisco Cloud Web Security: FAQ

The crypto isakmp identity hostname command is required to define the identity used by the router when participating in the Internet Key Exchange protocol. This command is needed when you specify preshared keys for authentication. The ip name-server command is required to specify the IP address of the DNS server that can resolve the FQDN of the remote peer. This command is needed when you use the crypto isakmp key command with the hostname option instead of the address option. The other commands are not required or correct for this scenario. References: 1, 2, 3

To create an access control list (ACL) on a Cisco Adaptive Security Appliance (ASA) firewall, you need to use the access-list command followed by the name of the ACL, the action (permit or deny), the protocol, the source address and mask, and the destination address and mask. For example, to permit HTTP traffic from the inside network 192.168.1.0/24 to any destination on the internet, you can use this command:

access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq www

This command creates an ACL named inside_access_in that permits TCP traffic from the source network 192.168.1.0/24 to any destination with the destination port equal to 80 (www). The eq keyword is used to specify the port number or name. You can also use the range keyword to specify a range of ports.

To apply the ACL to an interface, you need to use the access-group command followed by the name of the ACL and the direction (in or out). For example, to apply the ACL to the inside interface in the inbound direction, you can use this command:

access-group inside_access_in in interface inside

This command applies the ACL inside_access_in to the interface named inside in the inbound direction. This means that the ACL will filter the traffic that enters the firewall through the inside interface.

Option D is the only option that matches the syntax of the access-list command for the ASA firewall. Option A is incorrect because it uses the ip keyword instead of the tcp keyword. Option B is incorrect because it uses the any keyword for both the source and destination addresses. Option C is incorrect because it uses the host keyword for the source address, which is not valid for a network address.

 The API key is used for HTTP authentication when working with APIs, including https://api.amp.cisco.com/v1/computers. It ensures that the user or system making the API request is authenticated and authorized to access the resources requested. The image you sent shows a Python code snippet that imports the requests module, assigns a client ID and an API key to variables, and uses them to make an API call. The API key is passed as a header parameter in the requests.get() function, which is a common way of implementing HTTP authentication. The other options are not correct because they do not describe the role of the API key. The client ID is a different parameter that identifies the user or system making the request, but it does not authenticate them. HTTP authorization is a process of granting or denying access to resources based on the user’s identity and permissions, but it is not the same as authentication. Importing requests is a Python statement that loads the requests module, which is a library for making HTTP requests, but it has nothing to do with the API key. References :=

Some possible references are:

Cisco AMP for Endpoints API

requests - HTTP for Humans

HTTP authentication - MDN Web Docs

The cloud security shared responsibility model is a way of describing how the security tasks and obligations are divided between the cloud service provider (CSP) and the customer, depending on the type of cloud service model used. The cloud service models are:

Software as a Service (SaaS): The CSP provides and manages the entire software stack, including the applications, data, runtime, middleware, operating system, virtualization, servers, storage, and networking. The customer only needs to access the software through a web browser or an application. The customer is responsible for managing their own data and identities, as well as configuring the security settings of the software. The CSP is responsible for everything else, including patching the operating system and the applications12

Platform as a Service (PaaS): The CSP provides and manages the platform layer, including the runtime, middleware, operating system, virtualization, servers, storage, and networking. The customer can deploy and run their own applications and data on the platform, using the tools and languages supported by the CSP. The customer is responsible for managing their own applications and data, as well as configuring the security settings of the platform. The CSP is responsible for patching the operating system and the middleware12

Infrastructure as a Service (IaaS): The CSP provides and manages the infrastructure layer, including the virtualization, servers, storage, and networking. The customer can provision and use virtual machines, containers, or bare metal servers, and install their own operating system, middleware, applications, and data. The customer is responsible for managing and patching their own operating system, middleware, applications, and data, as well as configuring the security settings of the infrastructure. The CSP is responsible for the physical security and availability of the infrastructure12

References := 1: Shared responsibility in the cloud - Microsoft Azure 2: Cloud security shared responsibility model - NCSC

 Cisco Container Platform (CCP) is a solution that simplifies the deployment and management of containerized applications across multiple clouds. It provides the following benefits to customers who utilize cloud service providers12:

Allows developers to create code once and deploy to multiple clouds. CCP is based on open source components, such as Kubernetes and Docker, that are compatible with various cloud platforms. This enables developers to write code once and run it anywhere, without worrying about the underlying infrastructure or vendor lock-in. CCP also supports hybrid and multicloud scenarios, allowing customers to leverage the best features of different cloud providers and optimize their costs and performance.

Manages Kubernetes clusters. CCP automates the installation, configuration, and maintenance of Kubernetes clusters, which are groups of nodes that run containerized applications. CCP provides a simple GUI-driven menu system to deploy clusters, as well as automated monthly updates for bug fixes, feature enhancements, and security patches. CCP also offers a choice of networking solutions, such as Cisco ACI, Calico, or Contiv, to connect and secure the clusters. CCP also integrates with Cisco AppDynamics and Prometheus for visibility and monitoring of the clusters and applications. References:

Cisco Container Platform - Cisco

Cisco Container Platform - At-a-Glance - Cisco

 Intelligent Multi-Scan (IMS) is a feature that enables the Cisco ESA to perform multiple anti-spam scans on each message and apply different actions based on the results. IMS also includes the Graymail Detection and Safe Unsubscribe services, which allow the ESA to identify and filter messages that are not strictly spam, but are low-priority or unwanted by the end user, such as newsletters, social media notifications, or marketing emails. The Graymail Detection service can classify messages into different categories, such as bulk, mass, or subscription, and assign different scores and verdicts to them. The Safe Unsubscribe service can provide a link for the end user to safely unsubscribe from the sender’s mailing list, without revealing their email address or opening a malicious URL. To enable the blocking of greymail for the end user, the administrator must first enable the IMS feature globally and then configure the Graymail and Safe Unsubscribe settings in the mail policies. The administrator can also enable the centralized spam quarantine and the end-user quarantine interface to allow the end user to manage their own quarantined messages. References :=

Best Practice Guide for Anti-Spam, Anti-Virus, Graymail and Outbreak Filters

Graymail Detection and Safe Unsubscribing Functionality