350-701 Exam Dumps - Cisco CCNP Security Questions and Answers

Cisco Identity Services Engine (ISE) uses various probes to collect attributes of connected endpoints, such as device type, operating system, IP address, MAC address, and so on. These attributes are used to profile the endpoints and assign them to appropriate identity groups and policies. Two of the probes that can be configured to gather attributes of connected endpoints using Cisco ISE are RADIUS and DHCP.

RADIUS probe: The RADIUS probe collects attributes from the RADIUS packets that are exchanged between the network access devices (NADs) and the ISE Policy Service Nodes (PSNs) during the authentication and authorization process. The RADIUS probe can extract attributes such as username, calling-station-ID, NAS-IP-address, NAS-port-type, service-type, and so on. The RADIUS probe can also collect attributes from the RADIUS accounting packets that are sent by the NADs to the ISE PSNs after the session is established. The RADIUS probe can extract attributes such as session-ID, framed-IP-address, acct-session-time, and so on. The RADIUS probe is enabled by default and does not require any additional configuration on the NADs or the ISE PSNs.

DHCP probe: The DHCP probe collects attributes from the DHCP packets that are exchanged between the endpoints and the DHCP server during the IP address assignment process. The DHCP probe can extract attributes such as hostname, vendor-class-identifier, client-identifier, parameter-request-list, and so on. The DHCP probe can also collect attributes from the DHCP relay packets that are forwarded by the NADs to the ISE PSNs. The DHCP probe can extract attributes such as relay-agent-information and subscriber-ID. The DHCP probe requires some configuration on the NADs and the ISE PSNs. The NADs must be configured to relay or copy the DHCP packets to the ISE PSNs, and the ISE PSNs must be configured to receive the DHCP packets on a specific interface.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_assetvisibility_endpointprofiler.html

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_00.html

When a transparent authentication fails on the Web Security Appliance (WSA), the end user gets blocked access. This means that the user cannot access any web resources until they successfully authenticate. The WSA can use different methods to authenticate users transparently, such as Transparent User Identification (TUI), Transparent Identification, or Kerberos1. If none of these methods work, the WSA will send a block page to the user with a message explaining why the authentication failed and how to resolve the issue2. The block page can be customized by the administrator to provide more information or instructions to the user3.

References := 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 4: Securing the Cloud, Lesson 4.3: Cloud Application Security, Topic 4.3.2: Cisco Umbrella, page 4-59. 2: User Guide for AsyncOS 12.5 for Cisco Web Security Appliances - GD (General Deployment), Chapter: Acquire End-User Credentials, Topic: Failed Authentication Credentials, page 4-67. 3: User Guide for AsyncOS 12.5 for Cisco Web Security Appliances - GD (General Deployment), Chapter: Customize End-User Notifications, Topic: Customize Block Pages, page 5-1.

ZBFW stands for Zone-Based Firewall, which is a feature that allows unidirectional application of IOS firewall policies between groups of interfaces known as zones. Interfaces are assigned to zones, and firewall rules are applied to specific types of traffic moving in one direction between the zones. ZBFW enforces a secure inter-zone policy by default, meaning traffic cannot pass between security zones until an explicit policy allowing that traffic is defined. The zone itself is an abstraction of multiple interfaces with the same or similar security requirements that can be logically grouped together. ZBFW is CBAC’s replacement and offers intuitive policies for multiple-interface routers, increased granularity of firewall policy application, and a default deny-all policy that prohibits traffic between firewall security zones until an explicit policy is applied to allow desirable traffic. ZBFW is supported on IOS devices running 12.4(6)T or later, and ASR devices running 12.2(33) or later. References:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 4: Securing the Cloud, Lesson 4.1: Introducing Cisco Cloud Services Router 1000V Series, Topic 4.1.2: Zone-Based Firewall

Understand the Zone-Based Policy Firewall Design

Managing Zone-based Firewall Rules

Zone Based Firewall Overview

CBAC vs. Zone-based firewall

Cisco Defense Orchestrator (CDO) is a cloud-based management solution that allows you to manage security policies and device configurations with ease across multiple Cisco and cloud-native security platforms. CDO centrally manages elements of policy and configuration across Cisco ASA, Cisco Firepower, Cisco Meraki, and AWS1. CDO also provides visibility, automation, and orchestration capabilities to simplify and unify security operations2. The other options are not cloud security software that can centrally manage policies on multiple platforms. Cisco Configuration Professional is a device management tool for Cisco routers and switches. Cisco Secureworks is a security services provider that offers threat intelligence and incident response. Cisco DNAC is a network controller that automates and assures services across campus, branch, and edge networks. References :=

Cisco Defense Orchestrator Data Sheet

Cisco Defense Orchestrator

To block all subdomains of domain.com, the administrator should configure the domain.com address in the block list. This is because Umbrella automatically applies a left side and right side wildcard to every domain in a block or allow destination list. Therefore, adding domain.com to a block list will result in requests to domain.com or its subdomains, such as www.domain.com, being blocked. Adding a wildcard character (*) is not supported and will not work. Adding the *.com address in the block list will block all domains that end with .com, which is not the desired outcome. References:

Understanding Destination lists supported entries and error messages

Wildcards and Destination Lists

The W32/AutoRun worm is a type of malware that spreads through removable drives, such as USB flash drives, and modifies the autorun.inf file to execute itself when the drive is inserted. The worm also attempts to connect to a remote server and download additional malicious files. One of the features of this worm is that it generates random domain names based on the current date and time, and sends DNS requests to these domains. This is a technique to evade detection and analysis, as well as to communicate with the command and control server. The DNS requests generated by the worm have a distinctive pattern, such as the length of the domain name, the number of subdomains, and the use of redacted characters. By comparing these features to the expected behavior of normal DNS requests, security analysts can identify the presence of the worm and block its traffic. References :=

Some possible references are:

W32/AutoRun worm

DNS requests malicious attack

Four major DNS attack types and how to mitigate them

WannaCry ransomware is a type of malware that encrypts the files on the infected devices and demands a ransom for their decryption. It exploits a vulnerability in the Windows SMB protocol that allows remote code execution. To prevent WannaCry ransomware from spreading to all clients, IT should take the following precautions:

Ensure that noncompliant endpoints are segmented off to contain any potential damage. This means that any device that is not patched, managed, or compliant with the security policies should be isolated from the rest of the network and given limited access to resources. This can be done using Cisco Identity Services Engine (ISE) and Cisco TrustSec, which can enforce dynamic segmentation based on the device’s identity, posture, and context. This way, IT can prevent the ransomware from infecting other devices and reduce the impact of the attack12

Perform a posture check to allow only network access to those Windows devices that are already patched. This means that IT should verify that the devices have installed the latest security updates from Microsoft that fix the SMB vulnerability. This can be done using Cisco AnyConnect Secure Mobility Client, which offers a VPN Posture/HostScan Module and an ISE Posture Module. Both modules can assess the endpoint’s compliance for things like operating system, patches, antivirus, antispyware, and firewall software. If the device is not patched, it can be denied access to the network or redirected to a remediation portal13

 1: Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.0 - Configure Posture 2: Can We Trust Your Device? Checking Security Posture - Cisco 3: Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.10 - Configure Posture

sfr {fail-open | fail-close [monitor-only]} <- There's a couple different options here. The first one is fail-open which means that if the Firepower software module is unavailable, the ASA will continue to forward traffic. fail-close means that if the Firepower module fails, the traffic will stop flowing. While this doesn't seem ideal, there might be a use case for it when securing highly regulated environments. The monitor-only switch can be used with both and basically puts the Firepower services into IDS-mode only. This might be useful for initial testing or setup.

https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_01101.html Policy Order The order in which policies are listed in a policy table determines the priority with which they are applied to Web requests. Web requests are checked against policies beginning at the top of the table and ending at the first policy matched. Any policies below that point in the table are not processed. If no user-defined policy is matched against a Web request, then the global policy for that policy type is applied. Global policies are always positioned last in Policy tables and cannot be re-ordered.