350-701 Exam Dumps - Cisco CCNP Security Questions and Answers

A destination list is a list of internet destinations: domains, URLs, and CIDRs. To control identity access to specific destinations, you can add destination lists to Umbrella and then select them when configuring your Web and DNS policies12. When you add or edit a destination list, the changes are applied immediately if the destination list is part of a policy3. This means that any identities that are associated with the policy will be affected by the changes in the destination list. You do not need to save the configuration or remove the destination list from the policy to apply the changes. However, you do need to have the appropriate user role to manage destination lists. The user role of Block Page Bypass or higher is needed to perform these changes4. References :=

• Manage Destination Lists - Umbrella User Guide
• Manage Destination Lists - Umbrella SIG User Guide
• Add a Destination List - Umbrella User Guide
• Add a DNS Destination List - Umbrella SIG User Guide

The reason for the failure is that detections for MD5 signatures must be configured in the advanced custom detection policies, not in the simple detection policy section. The simple detection policy section allows users to create a list of SHA-256 hashes of files that they want to block or quarantine on the endpoints. The SHA-256 hash is a more secure and unique identifier of a file than the MD5 hash, which can have collisions or duplicates. The advanced custom detection policy section allows users to create more complex and flexible rules to detect and block files based on various criteria, such as file name, size, type, signature, or MD5 hash. The advanced custom detection policy section also supports wildcards and regular expressions to match multiple files or patterns. Therefore, if the administrator wants to add specific MD5 signatures to the custom detection policy, they should use the advanced custom detection policy section instead of the simple detection policy section.

References:

• Configure a Simple Custom Detection List on the AMP for Endpoints Portal - Cisco, Step 4: On the Add SHA-256 option, paste the SHA-256 code previously collected from the specific file you want to block, as shown in the image.
• Create an Advanced Custom Detection List in Cisco Secure Endpoint - Cisco, Step 3: Next, Edit that new Signature Set, and Add Signature. Win.Exploit.CVE_2020_0601:1::06072A8648CE3D02010606072A8648CE3D020130.

 The monitoring agent uses the RTP (Real-time Transport Protocol) performance metric to collect and output packet loss and jitter information. RTP is a network protocol used for delivering audio and video over IP networks. It provides mechanisms for timestamping, sequence numbering, and delivery monitoring, which allow for the measurement of packet loss and jitter. RTP is specifically designed for real-time multimedia streaming applications, which are more sensitive to changes in the transmission characteristics of data networks than other applications. Therefore, RTP performance is a suitable metric for monitoring and collecting packet loss and jitter information.

The other options are not directly related to measuring packet loss and jitter. TCP (Transmission Control Protocol) is a transport protocol that ensures reliable and ordered delivery of data, but it is not typically used for real-time multimedia applications. WSAv (Web Security Virtual Appliance) is a Cisco solution for web security, but it does not measure packet loss and jitter. AVC (Application Visibility and Control) is a technology that monitors and controls network applications, but it does not focus on packet loss and jitter. References :=

• Measuring Delay, Jitter, and Packet Loss with Cisco IOS SAA and RTTMON1
• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.02
• Cisco 350-701: Which metric used by monitoring agent to collect and output packet loss and jitter information?

Cisco AnyConnect is a client-based VPN solution that provides secure remote access for individual users from their machines. It allows customization of access policies based on user identity, such as group membership, device posture, or location. This enables granular control over who can access what resources on the network. Cisco AnyConnect also supports various authentication methods, such as certificates, multifactor authentication, or single sign-on. Cisco AnyConnect can be deployed with Cisco Adaptive Security Appliance (ASA) or Cisco Firepower Threat Defense (FTD) as the VPN headend.

Cisco DMVPN is a network-based VPN solution that provides dynamic, on-demand, and scalable connectivity for branch offices, teleworkers, and business partners. It uses multipoint GRE (mGRE) tunnels and Next Hop Resolution Protocol (NHRP) to establish direct spoke-to-spoke communications without traversing the hub. It also supports IPsec encryption and various routing protocols over the tunnel. Cisco DMVPN can be deployed with Cisco IOS routers as the VPN headend.

The advantages of using Cisco AnyConnect over DMVPN are:

• It enables VPN access for individual users from their machines, which is useful for mobile workers or telecommuters who need to connect to the network from anywhere.
• It allows customization of access policies based on user identity, which is useful for enforcing security and compliance requirements for different types of users or devices.

The advantages of using DMVPN over Cisco AnyConnect are:

• It provides spoke-to-spoke communications without traversing the hub, which reduces latency and bandwidth consumption for traffic between remote sites.
• It allows different routing protocols to work over the tunnel, which provides flexibility and scalability for network design and management.

References:

• Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications Data Sheet
• [Cisco AnyConnect Secure Mobility Client Data Sheet]
• Cisco Get VPN vs DMVPN: Difference and Comparison
• Comparing Cisco SD-WAN to DMVPN
• What are two advantages of using Cisco AnyConnect over DMVPN?

 Phishing is a type of cyberattack that uses fraudulent emails or other communications to trick users into providing sensitive information or installing malware on their devices1. Phishing can lead to identity theft, data breaches, ransomware infections, and financial losses. To protect employees from phishing attacks, a company can use various solutions that can detect, block, and remediate phishing threats. Two of these solutions are:

• Cisco Umbrella: Cisco Umbrella is a cloud-based security platform that provides the first line of defense against threats on the internet, including phishing2. Cisco Umbrella uses DNS-layer security, which can identify and block malicious domains, IPs, and URLs before they can reach the user’s device2. Cisco Umbrella also integrates with Cisco Email Security to provide additional protection against phishing emails that may bypass the email gateway3.
• Cisco Email Security Appliance (ESA): Cisco ESA is an email gateway that protects inbound and outbound email traffic from spam, malware, phishing, and other threats4. Cisco ESA uses multiple layers of defense, such as reputation filtering, antivirus scanning, outbreak filters, and content filtering, to prevent malicious emails from reaching the user’s inbox4. Cisco ESA also leverages Cisco Advanced Phishing Protection, which uses machine learning and threat intelligence to identify and block sophisticated phishing attacks that use identity deception techniques5.

References := 1: What Is Phishing? Examples and Phishing Quiz - Cisco 2: Cisco Umbrella - Cloud Delivered Enterprise Security 3: Cisco Umbrella and Cisco Email Security Integration 4: Cisco Secure Email - Cisco 5: Cisco Advanced Phishing Protection - Cisco Video Portal

accomplish the task is to install and configure the Cisco DUO Authentication Proxy and configure the identity source sequence within Cisco ISE. This will allow the engineer to integrate Cisco ISE with Cisco DUO for TACACS+ device administration using Active Directory as the primary authentication source and Cisco DUO as the secondary authentication source for multi-factor authentication (MFA). The steps to configure this solution are as follows12:

• Install and configure the Cisco DUO Authentication Proxy on a Windows or Linux machine. The proxy will act as a RADIUS server that communicates with Cisco ISE and a RADIUS client that communicates with Cisco DUO cloud. The proxy will also connect to Active Directory for the primary authentication of the users.
• Configure the proxy by editing the authproxy.cfg file. The file should include the following sections:
• Restart the proxy service after saving the authproxy.cfg file.
• Configure Cisco ISE as a TACACS+ server and add the proxy as an external RADIUS server. The steps are as follows:
• Configure the network devices to use TACACS+ for device administration and specify Cisco ISE as the TACACS+ server and the proxy as the RADIUS server. The configuration commands may vary depending on the device type and model, but the general syntax is as follows:
• aaa new-model
• aaa authentication login default group tacacs+ local
• aaa authorization exec default group tacacs+ local
• aaa accounting exec default start-stop group tacacs+
• tacacs server ISE
• address ipv4
• key
• radius server DUO
• address ipv4 auth-port
• key
• Test the solution by logging into the network devices using Active Directory credentials. The user should receive a Cisco DUO prompt for the second factor authentication, such as a push notification, a phone call, or a passcode. After approving the second factor authentication, the user should be granted access to the device with the appropriate privileges based on the TACACS profile and the Active Directory attributes.

References := 1: Duo MFA Integration with ISE for TACACS+ Device Administration with Microsoft Active Directory Users - Cisco Community 2: Protecting Access to Network devices with ISE TACACS+ and DUO MFA - Cisco Community

To block a website based on a custom list, the customer should add the websites to a blocked type destination list. A destination list is a custom list of domains or URLs that the customer wants to allow or block for their identities. The customer can create destination lists through the Policy Components > Destination Lists page, or within the policy wizard when creating or editing a policy. The custom URL destination block lists feature enables Umbrella to extend a domain level block list to encompass full and partial URLs. In turn, this allows the customer to block certain portions of a website based specifically on the full or partial URL. This feature requires the customer to enable the intelligent proxy and install a root certificate for SSL decryption. References:

• Configure Web Policies and Destination Lists - Cisco Umbrella
• Control Access to Custom URLs - Umbrella SIG User Guide
• Cisco 350-701: How should customer block websites based on custom list
• Umbrella Dashboard: New Features—Custom blocked URLs
• Understanding Destination lists supported entries and … - Cisco Umbrella

the interface configuration. MAB stands for MAC Authentication Bypass, which is a feature that allows devices that do not support 802.1X, such as printers and video cameras, to bypass the authentication process and gain network access based on their MAC addresses1. By adding mab to the interface configuration, the Cisco ISE administrator can enable MAB as a fallback method after 802.1X fails or times out. This way, the devices that support 802.1X can use their machine certificate credentials, while the devices that do not support 802.1X can use their MAC addresses to authenticate with Cisco ISE2. The other options are not correct because they either compromise the security controls or do not address the problem. Changing the default policy in Cisco ISE to allow all devices not using machine authentication would weaken the security posture and expose the network to unauthorized access. Enabling insecure protocols within Cisco ISE in the allowed protocols configuration would also reduce the security level and increase the risk of attacks. Configuring authentication event fail retry 2 action authorize vlan 41 on the interface would only apply to the devices that fail authentication twice, and would not solve the issue for the devices that do not support 802.1X at all3. References:

• 1: MAC Authentication Bypass Deployment Guide
• 2: Configuring MAC Authentication Bypass
• 3: Cisco Identity Services Engine Administrator Guide, Release 3.1 - Segmentation

The Secure Event Connector is a component of the Security Analytics and Logging (SaaS) solution that enables the FMC to send logs to the cloud-based service. The Secure Event Connector uses syslog to forward events from the FMC and the managed devices to the cloud. This method reduces the load on the firewall resources, as the events are sent in batches and compressed before transmission. The Secure Event Connector also provides encryption, authentication, and reliability for the log data. The other methods are not supported by the Security Analytics and Logging (SaaS) solution12 References := 1: Cisco Security Analytics and Logging (On Premises)

Dual-SSID BYOD is the term for when an endpoint is associated to a provisioning WLAN that is shared with guest access, and the same guest portal is used as the BYOD portal. This flow is a unique capability of ISE where the user does not have to log in twice, as ISE can take the user information from the 802.1X session and direct the user to the BYOD flow. Once the endpoint is onboarded, it is reconnected to the secured WLAN for full network access. This flow is different from single-SSID BYOD, where the endpoint associates to a secure WLAN, gets onboarded, and then reconnects to the same WLAN12. References: 1: ISE BYOD: Dual vs. Single SSID Onboarding - Cisco Community 2: Cisco ISE BYOD Prescriptive Deployment Guide - Cisco Community

The exhibit shows an access rule for URL filtering that has the following conditions:

• The action is Block
• The URL category is Botnets
• The URL reputation is 3
• The URL list is empty

This means that the rule will block any URL that matches the category and reputation criteria, regardless of the individual URL. According to the Cisco documentation1, the URL reputation is a score from 1 to 5 that indicates the risk level of a URL, where 1 is the most risky and 5 is the least risky. Therefore, a reputation score of 3 means a moderate risk level. The rule will not block URLs for botnets with reputation scores of 1, 2, 4, or 5, nor will it block any other URL category or list. The rule will also not allow any URL, as the action is Block, not Allow.

References := 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 4: Securing the Cloud, Lesson 4.3: Cloud Application Security, Topic 4.3.2: Cisco Umbrella, page 4-58.

The process in DevSecOps where all changes in the central code repository are merged and synchronized is called Continuous Integration (CI). CI is a practice that aims to improve the quality and speed of software development by automating the building, testing, and integration of code changes. CI enables developers to collaborate more effectively and detect errors early in the development cycle. CI also helps to ensure that the code in the repository is always in a deployable state and conforms to the security and quality standards123. References: 1: Implementing and Operating Cisco Security Core Technologies (SCOR) course, Module 5: Secure Network Access, Identity Management, and Visibility, Lesson 5.1: Introducing DevSecOps 2: DevSecOps code process - AT&T4 3: Building a DevSecOps Culture - from a Technical Perspective5

NTP uses UDP port 123 to communicate with its servers and peers. If the Cisco ASA has IP reachability to the NTP server and is not filtering any traffic, then the most likely cause of the unsynchronized state and the stratum of 16 is that the NTP server is not working properly or is not configured to provide NTP service. A stratum of 16 means that the NTP server is unreachable or is not considered a viable candidate1. The value.INIT. in the refid column indicates that NTP is initializing, and the server has not yet been reached1. To resolve this issue, the network engineer should verify the status and configuration of the NTP server, and use a different server if needed. Alternatively, the network engineer can use the ntp server command with the prefer keyword to specify a preferred NTP server, or use the ntp update-calendar command to force a resynchronization of NTP2. References:

• 1: NTP server is unsynchronized or unreachable, a Wireshark perspective.
• 2: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Network Security, Lesson 1.3: Configuring Network Time Protocol.