350-701 Exam Dumps - Cisco CCNP Security Questions and Answers

The purpose of a Denial-of-Service (DoS) attack is to disrupt the normal operation of a targeted system, server, or network by overwhelming it with a flood of internet traffic. This is achieved by utilizing multiple compromised computer systems as sources of attack traffic. The overwhelming amount of traffic can cause the targeted system to slow down significantly or even crash and become unavailable to legitimate users, thereby denying service to intended users.

A PAC file, or proxy auto-configuration file, is a script that tells the web browser how to use a proxy server for different URLs. A PAC file can be hosted on a web server or on the WSA itself, and can be deployed to the client web browser manually or automatically. A WSA HTTP proxy configuration with a PAC file is defined as an explicit proxy deployment, because the client web browser is aware of the proxy and sends requests to it directly. This is different from a transparent proxy deployment, where the client web browser is unaware of the proxy and the requests are redirected to it by a network device such as a router or a firewall. A bridge proxy deployment is a type of transparent proxy deployment where the WSA acts as a layer 2 bridge between two network segments and intercepts the traffic passing through it. A PAC file is not used in a bridge proxy deployment. In a dual-NIC configuration, the WSA has two network interfaces, one for the client-side network and one for the server-side network. The PAC file does not direct traffic through the two NICs to the proxy, but rather tells the client web browser to send requests to the proxy’s IP address and port number. The WSA then forwards the requests to the server-side network through the other NIC. Therefore, option B is incorrect. References :=

Some possible references are:

1: What is a Proxy Pac file and are there any examples? - Cisco

2: What is a PAC file and where is it located on WSA? - Cisco

3: [WSA Training Series] How to configure the HTTPS Proxy on the Cisco Web Security Appliance

4: Proxy Auto-Configuration (PAC) file

5: Use proxy auto-configuration (.pac) files with IEAK 11

The best way to prevent the session during the initial TCP communication is to configure policies to stop and reject communication from the known malicious domain. This will prevent the ESA from accepting any messages from that domain and send a negative SMTP response code back to the sender. This will also save the ESA’s resources and bandwidth, as it will not have to process or store the malicious emails. This can be done by creating a sender group in the Host Access Table (HAT) that matches the malicious domain and setting the mail flow policy to “Reject” or “Throttle”. Alternatively, a message filter can be created that checks the envelope sender against the malicious domain and applies the “stop_connection” or “reject_connection” action12.

The other options are not as effective as stopping and rejecting the communication at the TCP level. Configuring the Cisco ESA to drop the malicious emails (option A) will still allow the ESA to accept the messages and then silently discard them, which will consume the ESA’s resources and bandwidth, and also not notify the sender of the rejection. Configuring policies to quarantine malicious emails (option B) will also require the ESA to accept and store the messages, which will take up disk space and require manual or automated management of the quarantine. Configuring the Cisco ESA to reset the TCP connection (option D) will abruptly terminate the connection without sending a proper SMTP response code, which may cause the sender to retry the delivery and generate more traffic. Resetting the TCP connection is also considered a less polite and less compliant way of rejecting messages than sending a negative SMTP response code34. References: 1: How to Block a Sender Domain on the Email Security Appliance 2: Message Filters on the Cisco Email Security Appliance 3: How to Configure the Cisco Email Security Appliance to Reject or Drop Messages 4: Cisco Email Security Appliance User Guide - Configuring Mail Policies

Cisco Secure Workload (formerly Tetration) is a solution that provides visibility, segmentation, and security for cloud applications. It can monitor application communications, detect abnormal application behavior, and identify vulnerabilities within the applications. Cisco Secure Workload can also enforce granular policies to control the traffic between applications and prevent unauthorized access. References: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 6: Cloud and Content Security, Lesson 6.2: Cisco Cloud Security Solutions, Topic 6.2.2: Cisco Secure Workload

Explanation

SNMP polling can often be in the order of 5-10 minutes, CLIs are unstructured and prone to change which can often break scripts.

The traditional use of the pull model, where the client requests data from the network does not scale when what you want is near real-time data.

Moreover, in some use cases, there is the need to be notified only when some data changes, like interfaces status, protocol neighbors change etc.

Model-Driven Telemetry is a new approach for network monitoring in which data is streamed from network devices continuously using a push model and provides near real-time access to operational statistics. Referfence: https://developer.cisco.com/docs/ios-xe/#!streaming-telemetry-quick-start-guide/streaming telemetry

 The configuration snippet in the image is a part of IKEv2 configuration where the name mangler is associated with the organizational unit (OU) “MANGLER”. In Cisco’s IKEv2 implementation, this specific configuration means that only an IKEv2 peer whose certificate has an OU attribute set to “MANGLER” can establish an IKEv2 Security Association successfully. This is a method of ensuring that only peers with certificates issued to a specific organizational unit can connect, enhancing security by limiting unauthorized access. The name mangler is a feature that allows the administrator to specify a string that must be present in the peer’s certificate for authentication. The name mangler can be applied to any certificate field, such as common name (CN), organization (O), or OU. The name mangler can also be used to modify the peer’s identity based on the certificate field, such as appending or prepending a string to the identity. The name mangler is configured under the IKEv2 profile using the command crypto ikev2 profile profile-name identity name-mangler name-mangler-name dn field-name. In this case, the name mangler is applied to the OU field of the peer’s certificate. The other options are incorrect because they do not describe the effect of the name mangler configuration. Option A is incorrect because the name mangler does not affect the identity matching for the IKEv2 authorization policy. The identity matching is based on the peer’s identity type and value, which can be different from the certificate field. Option C is incorrect because the name mangler does not encrypt the OU field of the peer’s certificate. The OU field is part of the certificate’s subject, which is not encrypted in the IKEv2 messages. Option D is incorrect because the name mangler does not set the OU field of the peer’s certificate. The OU field is determined by the certificate authority (CA) that issues the certificate, and the name mangler only verifies or modifies the peer’s identity based on the OU field. References : Configuring Internet Key Exchange Version 2, Internet Key Exchange Version 2 CLI Constructs, Tutorial: Setting up a certificate-based IKEv2 VPN connection (RSA)

Explanation

Prevalence allows you to view files that have been executed in your deployment.

Note: Threat Root Cause shows how malware is getting onto your computers.

Explanation

Explanation

Cisco Defense Orchestrator is a cloud-based management solution that allows you to manage security policies

and device configurations with ease across multiple Cisco and cloud-native security platforms.

Cisco Defense Orchestrator features:

….

Management of hybrid environments: Managing a mix of firewalls running the ASA, FTD, and Meraki

MX software is now easy, with the ability to share policy elements across platforms.

Retrospective detection is a feature of Cisco Advanced Malware Protection (AMP) for Endpoints that performs correlation of telemetry, files, and intrusion events that are flagged as possible active breaches. Retrospective detection allows AMP to continuously analyze file activity across the network and identify malicious behavior that was previously undetected. Retrospective detection can also trigger alerts and remediation actions when a file’s disposition changes from clean to malicious12. References: 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 4: Endpoint Protection and Detection, Lesson 4.1: Cisco AMP for Endpoints Overview, Topic 4.1.3: Retrospective Detection 2: Cisco AMP for Endpoints User Guide, Chapter: Retrospective Detection, URL: 3

https://learn-umbrella.cisco.com/i/802005-umbrella-security-report/3?

https://www.cisco.com/site/us/en/products/security/endpoint-security/secure-endpoint/index.html#:~:text=Powerful%20EDR%20capabilities,from%20Kenna%20Security.

Cisco Advanced Malware Protection (AMP) for endpoints can be seen as a replacement for the traditional antivirus solution. It is a next generation, cloud delivered endpoint protection platform (EPP), and advanced endpoint detection and response (EDR). Providing Protection – Detection Response

While Cisco Umbrella can enforce security at the DNS-, IP-, and HTTP/S-layer, this report does not require that blocking is enabled and only monitors your DNS activity. Any malicious domains requested and IPs resolved are indicators of compromise (IOC).

Any malicious domains requested and IPs resolved are indicators of compromise (IOC)

Explanation

Explanation

The ASA and ASASM implementations of NetFlow Secure Event Logging (NSEL) provide the following major functions:

…

– Delays the export of flow-create events.

single methods of authentication can be compromised more easily than MFA. MFA, or multi-factor authentication, is a security process that requires users to provide two or more factors to verify their identity and access resources. MFA reduces the risk of unauthorized access by making it harder for attackers to compromise all the factors needed, especially if they are different in nature, such as something you know (password), something you have (token), and something you are (biometric).

To understand the concept of MFA and why it is important for authentication security, you can refer to the following sections of the source book:

Section 1.1.1: Describe the concepts of identity and access management

Section 1.1.1.1: Describe the concepts of identity principles

Section 1.1.1.2: Describe the concepts of authentication

Section 1.1.1.3: Describe the concepts of authorization

Section 1.1.1.4: Describe the concepts of accounting

Section 1.1.1.5: Describe the concepts of identity stores

Section 1.1.1.6: Describe the concepts of MFA

In Cisco Secure Endpoint, to create a custom detection file list for detecting and quarantining future files, an advanced custom detection should be created, and the hash of each file to be detected and quarantined should be uploaded. This allows the system to uniquely identify and take action on files based on their hash values, providing a precise method for targeting specific malicious or unwanted files.