350-701 Exam Dumps - Cisco CCNP Security Questions and Answers

Device compliance is the state of devices meeting the standards and regulations for the industry or organization. Device compliance policies define the rules and settings that users and devices must meet to be compliant, such as minimum operating systems, disk encryption, or Secure Boot. Device compliance policies can also include actions that apply to devices that are noncompliant, such as alerting users, blocking access, or wiping data. Device compliance policies can be integrated with Conditional Access, which can enforce attribute-driven policies based on the compliance status of the device. Attribute-driven policies are policies that use attributes of the device, user, or resource to determine the level of access or protection. For example, a policy can allow access to a resource only if the device is compliant, the user is in a certain group, and the resource is in a certain location. Attribute-driven policies provide more granular and flexible control over access and security than traditional policies based on roles or permissions. Therefore, the benefit of performing device compliance is providing attribute-driven policies, which is option D. References:

Device compliance policies in Microsoft Intune

Device Compliance settings for Windows 10/11 in Intune

Device Compliance: What it is and why you should use it

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0

 Installing the Cisco Umbrella root CA onto the user’s device is the action that accomplishes the goal of inspecting traffic without alerting end-users. This is because the root CA allows the user’s device to trust the certificates issued by the Cisco Umbrella intelligent proxy, which acts as a man-in-the-middle for SSL sites on Umbrella’s grey list. Without the root CA, the user’s browser would raise errors when accessing those sites, as it would detect an untrusted certificate. By installing the root CA, the user’s browser would accept the certificate and allow the traffic to be proxied and inspected by the intelligent proxy. References:

Enable SSL Decryption - Umbrella User Guide

SSL Decryption in the Intelligent Proxy – Cisco Umbrella

Cisco Umbrella Intelligent Proxy and SSL Decryption

Intelligent Proxy and SSL Decryption with Cisco Umbrella

Explanation

Explanation

To let FMC manages FTD, first we need to add manager from the FTD and assign a register key of your

choice. The command configure manager add 1.1.1.2 the_registration_key_you_want, where 1.1.1.2 is the IP

address of the FMC, you need to use the same registration key in FMC when adding this FTD as a managed

device.

The zero-trust model is a modern security strategy that assumes breach and verifies each request as though it originates from an open network. The main concept behind the zero-trust model is “never trust, always verify”, which means that users and devices should not be trusted by default, even if they are connected to a permissioned network such as a corporate LAN and even if they were previously verified12

One of the principles of the zero-trust model is to verify explicitly, which means to always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies13 To achieve this, the zero-trust model recommends using multifactor authentication (MFA), which is a method of verifying a user’s identity by requiring two or more pieces of evidence, such as something the user knows (e.g., password, PIN), something the user has (e.g., token, smart card), or something the user is (e.g., fingerprint, face scan). MFA provides a higher level of security than using only a single factor, such as a password, which can be easily compromised or guessed. MFA also reduces the risk of unauthorized access to corporate applications and resources, which may contain sensitive or confidential information.

Therefore, the recommendation in a zero-trust model before granting access to corporate applications and resources is to use multifactor authentication, as it ensures that only verified and authorized users and devices can access the data they need, and nothing more13

References := 1: Zero Trust Model - Modern Security Architecture | Microsoft Security 2: Zero trust security model - Wikipedia 3: What is Zero Trust? | Microsoft Learn : Multifactor Authentication (MFA) | Cisco

The result of using this authentication protocol in the configuration is that the authentication and authorization requests are grouped in a single packet. This is because the configuration uses RADIUS as the AAA protocol, which combines both authentication and authorization functions in one process. RADIUS is facilitated through AAA and can be enabled only through AAA commands. The aaa new-model global configuration command enables AAA, and the radius-server host command specifies the IP address and the shared secret key of the RADIUS server. The aaa authentication command defines the method list for RADIUS authentication, and the aaa group server command defines the group name and the members of the group. The line and interface commands enable the defined method list to be used. When a user tries to access the router, the router sends a single Access-Request packet to the RADIUS server, which contains the user credentials and other attributes. The RADIUS server then verifies the credentials and returns either an Access-Accept packet, which grants access and may include authorization information, or an Access-Reject packet, which denies access. Therefore, the correct answer is D. References:

Security Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst …

Configuring Basic AAA on an Access Server - Cisco

AAA Server Priority explained with New Radius Server Command Line

Configuring AAA on Cisco Devices – RADIUS and TACACS+ - Study-CCNA

Container orchestration is the automated process of organizing the functions of modular, containerized components that create the infrastructure of an application1. Container orchestration tools, such as Kubernetes, provide a framework for managing containers and microservices architecture at scale2. A feature of container orchestration is the ability to deploy Kubernetes clusters in air-gapped sites, which are isolated from the internet and other networks for security reasons3. Cisco Container Platform (CCP) is a solution that simplifies the deployment and management of Kubernetes clusters in any environment, including air-gapped sites4. CCP provides a data plane that runs on the Kubernetes nodes and handles the container networking, storage, and security. CCP also provides a control plane that runs on a separate management cluster and provides a web-based user interface and API for cluster operations. CCP supports the deployment of Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS) clusters on the data plane, but not on air-gapped sites. References: 1: What Is Container Orchestration? | AppDynamics 2: What is container orchestration? - Red Hat 3: Container orchestration for microservices - Azure Architecture Center 4: Cisco Container Platform Data Sheet : Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 5: Cloud and Network Security, Lesson 5.3: Cisco Cloud Security Solutions, Topic 5.3.2: Cisco Container Platform : Cisco Container Platform User Guide, Release 5.1, Chapter: Deploying Amazon ECS Clusters

 The Cisco Umbrella package that supports selective proxy for inspection of traffic from risky domains is SIG Advantage. SIG stands for Secure Internet Gateway, and it is a cloud-based service that provides comprehensive web security and threat intelligence. SIG Advantage includes all the features of DNS Security Advantage, such as DNS-layer protection, intelligent proxy, and cloud-delivered firewall, plus additional features such as full proxy, SSL decryption, advanced malware protection, and data loss prevention. Selective proxy is a feature that allows Umbrella to route risky domain requests to a proxy for deeper URL and file inspection, without impacting the performance or latency of legitimate traffic. Selective proxy is based on the reputation of the domains, which are classified into three categories: good, bad, and grey. Good domains are allowed without proxying, bad domains are blocked at the DNS layer, and grey domains are proxied for further inspection. Selective proxy is available in both DNS Security Advantage and SIG Advantage packages, but only SIG Advantage offers full proxy for all web traffic, which provides more granular control and visibility over web transactions and file types. References:

Cisco Umbrella Packages

Why Umbrella DNS Security?

Manage the Intelligent Proxy

Cisco Umbrella - Selected Proxy versus Full Proxy

The correct answer is to enable two-factor authentication through a RADIUS server, and then join the cluster via the SEG CLI. Two-factor authentication is a security feature that requires users to provide two forms of identification before accessing the SEG, such as a username and password, and a one-time code or token. This adds an extra layer of protection against unauthorized access and phishing attacks. The SEG supports two-factor authentication through external RADIUS servers, which can be configured on the System Administration > Users page in the web interface, or the userconfig command in the CLI. See User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General Deployment) (Section: Two-Factor Authentication) for more details.

To join a cluster, the SEG must communicate with other cluster members using either SSH or CCS (Cluster Communication Service). The cluster communication port and method can be configured on the Network > Cluster Communication page in the web interface, or the clusterconfig command in the CLI. See User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General Deployment) (Section: Cluster Communication) for more details.

If two-factor authentication is enabled on the SEG, it cannot join a cluster using the web interface, because the web interface does not support two-factor authentication for cluster operations. Therefore, the SEG must join the cluster using the CLI, and provide a pre-shared key that matches the cluster’s admin passphrase. The pre-shared key can be configured using the clusterconfig > prepjoin command in the CLI. See User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General Deployment) (Section: Creating and Joining a Cluster) for more details.

The other options are incorrect because they either use the wrong authentication server (TACACS+ instead of RADIUS), or the wrong communication method (GUI instead of CLI). References:

User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General Deployment)

Configure an Email Security Appliance (ESA) Cluster - Cisco

A Trojan malware attack is a type of malicious code or software that disguises itself as a legitimate program or file to trick users into executing it. Once executed, the Trojan can perform various harmful actions on the infected system or network, such as stealing data, deleting files, or installing other malware. There are different types of Trojan malware attacks, depending on their purpose and behavior. Two common types are:

Rootkit: A rootkit is a type of Trojan that hides itself and other malware from detection and removal by antivirus software or system tools. A rootkit can modify the operating system or the firmware of the device to gain persistent and privileged access to the system. A rootkit can also intercept and manipulate system calls, network traffic, or user input to conceal its activities or redirect them to malicious servers.

Backdoor: A backdoor is a type of Trojan that creates a secret or unauthorized access point to the infected system or network. A backdoor can allow an attacker to remotely control the system, execute commands, upload or download files, or monitor the system activity. A backdoor can also be used to install other malware or launch further attacks on other systems or networks.

The function of Cisco Cloudlock for data security is data loss prevention (DLP). Cisco Cloudlock is a cloud-native cloud access security broker (CASB) that helps you move to the cloud safely. It protects your cloud users, data, and apps. Cloudlock’s simple, open, and automated approach uses APIs to manage the risks in your cloud app ecosystem1. One of the key features of Cloudlock is its DLP technology, which continuously monitors cloud environments to detect and secure sensitive information. It provides countless out-of-the-box policies as well as highly tunable custom policies. You can use Cloudlock’s DLP to prevent data breaches, comply with regulations, and enforce data governance across SaaS, PaaS, and IaaS platforms2. References: 1: Cisco Cloudlock - Cisco2: Cloudlock: Cloud User Security - Cisco Umbrella.

 Cisco Web Security Appliance (WSA) is the platform that automatically blocks risky sites, and tests unknown sites for hidden advanced threats before allowing users to click them, using Cisco Cognitive Threat Analytics. Cisco Cognitive Threat Analytics is a cloud-based solution that reduces the time to discovery of threats operating inside the network by analyzing web traffic and detecting anomalous behavior. Cisco WSA integrates with Cisco Cognitive Threat Analytics to provide enhanced web security and breach detection. Cisco WSA can also leverage other Cisco security solutions, such as Cisco Umbrella, Cisco Advanced Malware Protection (AMP), and Cisco Talos Intelligence Group, to provide comprehensive web security. References:

Cisco Web Security Appliance (WSA)

Cisco Cognitive Threat Analytics At-a-Glance

Introducing Cisco Cognitive Threat Analytics

Implementing and Operating Cisco Security Core Technologies (SCOR) - Module 3: Cloud and Content Security

Explanation

Explanation

When supporting personal devices on a corporate network, you must protect network services and enterprise

data by authenticating and authorizing users (employees, contractors, and guests) and their devices. Cisco ISE

provides the tools you need to allow employees to securely use personal devices on a corporate network.

Guests can add their personal devices to the network by running the native supplicant provisioning (Network

Setup Assistant), or by adding their devices to the My Devices portal.

Because native supplicant profiles are not available for all devices, users can use the My Devices portal to add

these devices manually; or you can configure Bring Your Own Device (BYOD) rules to register these devices.