350-701 Exam Dumps - Cisco CCNP Security Questions and Answers

Two-factor authentication is a security feature that requires users to provide two forms of information before gaining access to the Cisco ESA. The two factors are usually something the user knows, such as a password, and something the user has, such as a token or a code. Two-factor authentication can be enabled for specific user roles on the Cisco ESA through a RADIUS server, which is an external authentication server that supports the Remote Authentication Dial-In User Service (RADIUS) protocol. The RADIUS server can generate and validate the second factor for the users, such as a one-time password (OTP) or a time-based one-time password (TOTP). To enable two-factor authentication through a RADIUS server, the network engineer must configure the RADIUS server settings on the Cisco ESA, and assign the user roles that require two-factor authentication to use the RADIUS server as the authentication source. This can be done on the System Administration > Users page in the web interface, or by using the userconfig command in the CLI12.

A cluster is a group of Cisco ESAs that share the same configuration information and can be managed centrally. A cluster can provide increased reliability, flexibility, and scalability for the email security system. To join a cluster, a Cisco ESA must have the same AsyncOS version as the other cluster members, and must use a pre-shared key to authenticate with the cluster leader. The pre-shared key is a secret passphrase that is configured on the cluster leader and must be entered on the joining appliance. To join a cluster by using the Cisco ESA CLI, the network engineer must use the clusterconfig command, which allows the engineer to create a new cluster, join an existing cluster, or leave a cluster. The clusterconfig command also allows the engineer to specify the communication port and the hostname or IP address of the cluster leader. If the Cisco ESA has enabled two-factor authentication, the network engineer must also use the clusterconfig > prepjoin command to configure the pre-shared key before joining the cluster34.

Therefore, option A is the correct answer, and the other options are incorrect. Option B is incorrect because the cluster configuration options must be done via the CLI on the Cisco ESA and cannot be created or joined in the GUI. Option C is incorrect because the Cisco ESA does not support TACACS+ as an external authentication source, only LDAP and RADIUS. Option D is incorrect because it also uses TACACS+, which is not supported by the Cisco ESA. References :=

User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General Deployment) - Distributing Administrative Tasks

User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General Deployment) - External Authentication

Configure an Email Security Appliance (ESA) Cluster

User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General Deployment) - Centralized Management

NetFlow is a baseline form of telemetry that is recommended for network infrastructure devices. NetFlow is a technology that collects and exports information about IP traffic flows on enabled interfaces. NetFlow can provide valuable insight into the network performance, utilization, behavior, and security. NetFlow can help identify anomalies, such as DDoS attacks, malware, or misconfigurations, by comparing the current traffic patterns with the normal or baseline ones. NetFlow can also help with capacity planning, troubleshooting, and forensic analysis. NetFlow is supported on various Cisco platforms, such as routers, switches, firewalls, and IPS sensors. NetFlow can export data to different collectors and analyzers, such as Cisco Security Monitoring, Analysis and Response System (CS-MARS), Cisco Traffic Anomaly Detectors and Cisco Guard DDoS Mitigation Appliances, Cisco Network Analysis Module (NAM), and other third-party tools. References:

The Cisco ASA must support TLS proxy for encrypted Cisco Unified Communications traffic. This means that the ASA acts as a proxy between the Cisco IP Phone and the Cisco Unified Communications Manager (UCM), decrypting, inspecting, and re-encrypting the voice signaling traffic. To do this, the ASA needs to have the certificates of the devices that the phone trusts, such as the UCM servers and the TFTP servers. These certificates are stored in a Certificate Trust List (CTL) file that the phone downloads from the UCM before registration. Therefore, the ASA must be added to the CTL file on the UCM platform, so that the phone can verify the identity of the ASA as a proxy. The other options are not relevant for this scenario. The Endpoint Trust List is a list of certificates that the UCM trusts for encrypted endpoints. The Enterprise Proxy Service is a feature that allows the UCM to route calls to and from the public switched telephone network (PSTN) through a SIP proxy server. The Secured Collaboration Proxy is a feature that allows the UCM to encrypt the media streams between endpoints using Secure Real-Time Transport Protocol (SRTP). References :=

Cisco Secure Firewall ASA Unified Communications Guide - TLS Proxy for Encrypted Voice Inspection

TLS Proxy for Encrypted Voice Inspection - Cisco

Where must the ASA be added on the Cisco UC Manager platform?

To block certain URLs based on the “Chat and Instant Messaging” category, the network administrator should select a reputation score of 5. A reputation score is a numerical value that indicates the likelihood of a URL being malicious or unwanted. The lower the score, the higher the risk. A score of 5 means that the URL is suspicious or potentially harmful, and should be blocked or inspected12. A score of 3 means that the URL is unknown or unverified, and may be allowed or blocked depending on the policy settings12. A score of 10 means that the URL is trustworthy or benign, and should be allowed12. A score of 1 means that the URL is malicious or high-risk, and should be blocked12. Therefore, a score of 5 is the most appropriate to block the “Chat and Instant Messaging” category, which may contain unwanted or problematic websites. References:

Reputation score, section “Reputation score”.

Web content filtering, section “What is web content filtering?”.

 The application blocking list is an outbreak control method that allows the administrator to block certain files from executing on the endpoints based on their SHA values. This can prevent malware from running on the endpoints and causing damage. The other options are not outbreak control methods, but rather different features of AMP for endpoints. Device flow correlation is a network analysis feature that monitors connections and detects malicious activity. Simple detections and advanced custom detections are custom rules that can be created by the administrator to detect and block files based on signatures or other criteria. References:

Configure Windows Policy in AMP for Endpoints - Cisco

Prevent, Detect and Respond with Cisco AMP for Endpoints

Explanation

A trustpoint enrollment mode, which also defines the trustpoint authentication mode, can be performed via 3 main methods:

1. Terminal Enrollment – manual method of performing trustpoint authentication and certificate enrolment using copy-paste in the CLI terminal.

2. SCEP Enrollment – Trustpoint authentication and enrollment using SCEP over HTTP.

3. Enrollment Profile – Here, authentication and enrollment methods are defined separately. Along with terminal and SCEP enrollment methods, enrollment profiles provide an option to specify HTTP/TFTP commands to perform file retrieval from the Server, which is defined using an authentication or enrollment url under the profile.

MDM stands for Mobile Device Management, which is a system that performs compliance checks and remote wiping on mobile devices. MDM allows administrators to enforce security policies, monitor device status, and remotely manage devices in case of loss, theft, or compromise. MDM can also integrate with other Cisco security solutions, such as ISE, AMP, and Umbrella, to provide enhanced protection and visibility for mobile devices. References:

Mobile Device Management (MDM) - Cisco

Implementing and Operating Cisco Security Core Technologies (SCOR) - Module 5: Secure Network Access

The RAT (Recipient Access Table) is the list that contains the allowed recipient addresses on the Cisco ESA. The RAT controls whether the ESA accepts or rejects messages to a recipient address based on the sender group and the mail policy. The RAT can be configured to allow, relay, or reject messages to specific recipients or domains. The RAT can also be used to apply different message filters or content filters to different recipient groups12. References: 1: Implementing and Operating Cisco Security Core Technologies (SCOR) course, Module 2: Network Security, Lesson 3: Deploying Cisco Email Security Appliance, Topic: Configuring Mail Policies2: Cisco Email Security Appliance User Guide, Release 13.5 - Configuring Mail Policies [Cisco Secure Email Gateway] - Cisco.

CoA stands for Change of Authorization, which is a feature that allows a RADIUS server to adjust an active client session after it is authenticated. For example, CoA can be used to reauthenticate a client, terminate a client session, or change the VLAN or group policy of a client. CoA is supported by several RADIUS vendors, including Cisco ISE. CoA is defined in RFC 5176 and uses a pushed model, where the request originates from the RADIUS server and is sent to the network device that acts as a listener. CoA requests can have two possible response codes: CoA-ACK (acknowledgment) or CoA-NAK (non-acknowledgment). References :=

Some possible references are:

RADIUS Change of Authorization

Change of Authorization with RADIUS (CoA) on MR Access Points

Change of Authorization with RADIUS (CoA) on MS Switches

Technical Tip: Radius COA behavior

A CoA request is a network protocol message used in the context of network access control and authentication systems. It is typically employed in scenarios where a user’s access privileges or attributes need to be modified during an active network session. CoA requests are commonly used in conjunction with the RADIUS protocol, which is widely used for managing user authentication and authorization in network environments. When a CoA request is initiated, it is sent by a network access server (NAS) to a RADIUS server to request a change in the user’s authorization state or attributes. The CoA request contains information specifying the desired change, such as granting additional access privileges, revoking existing privileges, modifying session parameters, or updating user attributes. The RADIUS server processes the CoA request and applies the necessary changes to the user’s session in real-time, allowing dynamic adjustments to the user’s authorization and network access. CoA requests are often utilized in scenarios where an administrator needs to promptly update a user’s access rights without requiring them to terminate their current session. This flexibility is particularly valuable in environments that demand fine-grained access control or where access privileges need to be adjusted based on changing circumstances or policies. References :=

Some possible references for this answer are:

RADIUS Change of Authorization - Cisco

What is a CoA Request? - Portnox

RADIUS Change of Authorization: Explained - Cloud RADIUS

The ip radius source-interface command is needed for this configuration because it forces RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets. This ensures that the RADIUS server can identify the source of the requests and apply the appropriate policies. If this command is not used, RADIUS will use the IP address of the interface that is closest to the destination, which may not match the configured NAS IP on the RADIUS server. This can cause the RADIUS server to reject the requests as unauthorized12. References:

1: RADIUS source interface - Cisco Community

2: RADIUS Commands - Cisco

 Transparent mode is a Cisco ASA deployment model that allows the ASA to act as a bump in the wire, or a stealth firewall. In this mode, the ASA does not have an IP address on the network, and it does not participate in routing. Instead, it filters traffic between hosts in the same IP subnet using higher-level protocols such as TCP, UDP, and ICMP. Transparent mode is useful when you want to apply security policies without readdressing the network or changing the default gateway of the hosts. Some of the benefits of transparent mode are:

It preserves the original source and destination IP addresses of the packets, which can be useful for logging and auditing purposes.

It simplifies the configuration of the ASA, as you do not need to configure routing protocols, NAT, or DHCP.

It allows the ASA to inspect non-IP traffic, such as ARP, STP, and CDP.

It supports multiple contexts, which can provide logical separation of traffic for different tenants or customers.

Some of the limitations of transparent mode are:

It does not support VPN, dynamic routing, multicast routing, or QoS.

It requires the use of EtherType ACLs to filter non-IP traffic, which can be complex and cumbersome.

It requires the use of bridge groups and bridge domains to define the interfaces and VLANs that belong to the same broadcast domain.

It requires the use of MAC address learning and aging to maintain a MAC address table for each bridge group.

References :=

Some possible references are:

Cisco ASA Series Firewall CLI Configuration Guide, 9.10 - Transparent Firewall Mode

Deploying ASA - Cisco

Cisco ASA 5500-X Series Firewalls - Configuration Guides - Cisco