Free Cisco 350-701 Practice Exam with Questions & Answers | Set: 11

Cisco Identity Services Engine (ISE) is a product that provides comprehensive and scalable access policy enforcement for wired and wireless networks. ISE supports TACACS+ for device administration, which allows for granular control over the commands and actions that network administrators can perform on network devices. ISE also supports 802.1X, MAB, and WebAuth for network access, which enables authentication and authorization of users and endpoints based on various attributes, such as identity, device type, posture, location, and time. ISE can also integrate with other Cisco security products, such as Cisco Stealthwatch and Cisco AMP for Endpoints, to provide enhanced visibility and threat detection. Therefore, ISE is the product that meets all of the requirements stated in the question. References :=

Some possible references are:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 4: Secure Network Access, Identity Management, and Secure Access

TACACS+ Configuration Guide, Configuring TACACS

Cisco Identity Services Engine Administrator Guide, Release 2.7, Device Administration

Cisco Identity Services Engine Administrator Guide, Release 2.7, Network Access Devices

Cisco Identity Services Engine Administrator Guide, Release 2.7, Policy Sets

single methods of authentication can be compromised more easily than MFA. MFA, or multi-factor authentication, is a security process that requires users to provide two or more factors to verify their identity and access resources. MFA reduces the risk of unauthorized access by making it harder for attackers to compromise all the factors needed, especially if they are different in nature, such as something you know (password), something you have (token), and something you are (biometric).

To understand the concept of MFA and why it is important for authentication security, you can refer to the following sections of the source book:

Section 1.1.1: Describe the concepts of identity and access management

Section 1.1.1.1: Describe the concepts of identity principles

Section 1.1.1.2: Describe the concepts of authentication

Section 1.1.1.3: Describe the concepts of authorization

Section 1.1.1.4: Describe the concepts of accounting

Section 1.1.1.5: Describe the concepts of identity stores

Section 1.1.1.6: Describe the concepts of MFA

The FMC and managed devices communicate using a two-way, SSL-encrypted communication channel, which by default is on port 8305.

Cisco strongly recommends that you keep the default settings for the remote management port, but if the

management port conflicts with other communications on your network, you can choose a different port. If you change the management port, you must change it for all devices in your deployment that need to communicate with each other.

The amount of URI text that is stored in Cisco WSA log files is controlled by the log-entry size parameter, which can be configured using the advancedproxyconfig command. The log-entry size parameter specifies the maximum number of bytes of the URI that will be logged for each request. The default value is 1024 bytes, but it can be changed to any value between 1 and 4096 bytes. If the URI is longer than the log-entry size, it will be truncated and a plus sign (+) will be appended to indicate that the URI was cut off. Configuring a small log-entry size can reduce the disk space and bandwidth consumption of the log files, but it can also limit the visibility and analysis of the requests.

References :=

User Guide for AsyncOS 11.0 for Cisco Web Security Appliances, Customizing Access Logs

Cisco WSA CLI Reference Guide for AsyncOS 11.0, advancedproxyconfig Command

WSA FAQ: How can I view the logs on the Cisco WSA? - Cisco

Explanation

Cloud computing can be broken into the following three basic models:

+ Infrastructure as a Service (IaaS): IaaS describes a cloud solution where you are renting infrastructure. You purchase virtual power to execute your software as needed. This is much like running a virtual server on your own equipment, except you are now running a virtual server on a virtual disk. This model is similar to a utility company model because you pay for what you use.

+ Platform as a Service (PaaS): PaaS provides everything except applications. Services provided by this

model include all phases of the system development life cycle (SDLC) and can use application programming interfaces (APIs), website portals, or gateway software. These solutions tend to be proprietary, which can cause problems if the customer moves away from the provider’s platform.

+ Software as a Service (SaaS): SaaS is designed to provide a complete packaged solution. The software is rented out to the user. The service is usually provided through some type of front end or web portal. While the end user is free to use the service from anywhere, the company pays a peruse fee.

Mobile device management (MDM) is a solution that allows organizations to manage and secure mobile devices such as smartphones and tablets. MDM can provide scalability by supporting BYOD (bring your own device) scenarios without requiring extra appliance or licenses. BYOD allows employees to use their personal devices for work purposes, which can reduce costs and increase productivity. However, BYOD also introduces security and compliance risks, which MDM can mitigate by enforcing policies, monitoring device status, and performing remote actions. MDM can also integrate with other Cisco security solutions such as Identity Services Engine (ISE) and Umbrella to provide additional protection and visibility. According to the Cisco SCOR course, MDM can provide the following benefits for BYOD1:

Simplify device enrollment and configuration

Automate device compliance checks and remediation

Apply granular policies based on device type, user role, location, and network

Enable secure access to corporate resources and applications

Protect data at rest and in transit with encryption and VPN

Detect and respond to device threats and vulnerabilities

Wipe or lock devices in case of loss or theft

 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 - Module 4: Secure Connectivity - Lesson 4.3: Mobile Device Management (MDM)

URL conditions in access control rules allow you to limit the websites that users on your network can access. This feature is called URL filtering. There are two ways you can use access control to specify URLs you want to block (or, conversely, allow):

– With any license, you can manually specify individual URLs, groups of URLs, and URL lists and feeds to achieve granular, custom control over web traffic.

– With a URL Filtering license, you can also control access to websites based on the URL’s general

classification, or category, and risk level, or reputation. The system displays this category and reputation data in connection logs, intrusion events, and application details.

Using category and reputation data also simplifies policy creation and administration. It grants you assurance that the system will control web traffic as expected. Finally, because Cisco’s threat intelligence is continually updated with new URLs, as well as new categories and risks for existing URLs, you can ensure that the system uses up-to-date information to filter requested URLs. Malicious sites that represent security threats such as malware, spam, botnets, and phishing may appear and disappear faster than you can update and deploy new policies.

Explanation

Cisco Hybrid Email Security is a unique service offering that facilitates the deployment of your email security

infrastructure both on premises and in the cloud. You can change the number of on-premises versus cloud

users at any time throughout the term of your contract, assuming the total number of users does not change.

This allows for deployment flexibility as your organization’s needs change.

Explanation

The data plane of any network is responsible for handling data packets that are transported across the network.

(The data plane is also sometimes called the forwarding plane.)

Maybe this Qwants to ask about the encryption and authentication in the data plane of a SD-WAN network (but SD-WAN is not a topic of the SCOR 350-701 exam?).

In the Cisco SD-WAN network for unicast traffic, data plane encryption is done by AES-256-GCM, a symmetrickey algorithm that uses the same key to encrypt outgoing packets and to decrypt incoming packets. Each router periodically generates an AES key for its data path (specifically, one key per TLOC) and transmits this key to the vSmart controller in OMP route packets, which are similar to IP route updates.

Northbound APIs (SDN northbound APIs) are typically RESTful APIs that are used to communicate between the SDN controller and the services and applications running over the network. Such northbound APIs can be used for the orchestration and automation of the network components to align with the needs of different applications via SDN network programmability1. The management solution is an example of an application that can use the northbound APIs to interact with the SDN controller and configure, monitor, and troubleshoot the network devices and services2. Therefore, the main function of northbound APIs in the SDN architecture is to enable communication between the SDN controller and the management solution. References: 1: What are SDN Northbound APIs (and SDN Rest APIs)? - SDxCentral 2: Software-Defined Networking Security and Network Programmability

 SaaS stands for Software as a Service, which is a cloud service offering that allows customers to access a web application that is being hosted, managed, and maintained by a cloud service provider. SaaS applications are typically accessed through a web browser or a mobile app, and the customers do not need to install, update, or maintain any software or hardware on their own. SaaS applications can provide various benefits, such as lower upfront costs, faster deployment, scalability, and automatic updates. Some examples of SaaS applications are Gmail, Salesforce, Zoom, and Netflix123.

IaC stands for Infrastructure as Code, which is a method of provisioning and managing cloud resources using code or scripts, rather than manual processes or graphical user interfaces. IaC can help automate and standardize the deployment and configuration of cloud infrastructure, as well as improve consistency, reliability, and security. IaC is not a cloud service offering, but rather a technique or practice that can be used with different cloud service models, such as IaaS or PaaS45.

IaaS stands for Infrastructure as a Service, which is a cloud service offering that provides customers with access to virtualized computing resources, such as servers, storage, networks, and operating systems. IaaS customers can rent or lease these resources from a cloud service provider, and have full control over their configuration and management. IaaS customers are responsible for installing, updating, and maintaining their own applications and middleware on top of the cloud infrastructure. IaaS can provide various benefits, such as flexibility, scalability, cost-effectiveness, and security. Some examples of IaaS providers are Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform .

PaaS stands for Platform as a Service, which is a cloud service offering that provides customers with access to a cloud-based platform that includes the infrastructure, operating system, middleware, and development tools needed to build, deploy, and run applications. PaaS customers can focus on developing and running their own applications, without worrying about the underlying cloud infrastructure or software. PaaS can provide various benefits, such as faster development, scalability, compatibility, and security. Some examples of PaaS providers are Heroku, AWS Elastic Beanstalk, and Google App Engine .

References := 1: IaaS vs. PaaS vs. SaaS | IBM 2: What is SaaS? Software as a service explained | InfoWorld 3: SaaS - Software as a Service | Oracle 4: What is Infrastructure as Code (IaC)? | Red Hat 5: Infrastructure as Code (IaC) | AWS : What is IaaS? Infrastructure as a service explained | InfoWorld : IaaS - Infrastructure as a Service | Oracle : Cloud Computing Services | Google Cloud : What is PaaS? Platform as a service explained | InfoWorld : PaaS - Platform as a Service | Oracle : Cloud Services - Deploy Cloud Apps & APIs | Microsoft Azure

Explanation

FlexVPN supports IKEv2 -> Answer A is not correct.

DMVPN supports both IKEv1 & IKEv2 -> Answer B is not correct.

FlexVPN support multiple SAs -> Answer D is not correct.

In transparent mode, the WSA can handle both explicit and transparent HTTP requests, depending on how the client browser is configured. The WSA must pretend to be the origin content server for transparent requests, since the client is unaware of the existence of a proxy1. WCCP v2 is a protocol that allows a WCCP-enabled device (such as a router or a switch) to redirect traffic to the WSA based on certain criteria, such as destination port 802. This way, the client does not need to configure a proxy or a PAC file in the browser. The other options are false because they are either required for explicit mode or not supported by the WSA. References :=

What is the difference between transparent and forward proxy mode?

Configure Transparent Redirection With WCCP in Order to Support HTTP, HTTPS, and Native FTP Traffic

Explanation

Explanation

You can also monitor on-premises networks in your organizations using Cisco Stealthwatch Cloud. In order to do so, you need to deploy at least one Cisco Stealthwatch Cloud Sensor appliance (virtual or physical appliance).

To force a session to be adjusted after a policy change is made, two configurations are required on Cisco ISE and on Cisco TrustSec devices: Dynamic Authorization and Change of Authorization (CoA). Dynamic Authorization allows Cisco ISE to send commands to network devices to change the authorization status of a user session. CoA is a feature that enables Cisco ISE to send a RADIUS message to a network device to reauthenticate or disconnect a user session. These two configurations enable Cisco ISE to apply the updated policy to the user session without requiring the user to log out and log in again.

According to the source book, the steps to configure Dynamic Authorization and CoA are as follows1:

On Cisco ISE, navigate to Administration > Network Resources > Network Devices and select the network device that supports TrustSec.

On the Edit Network Device page, select the Advanced TrustSec Settings tab and check the Support for CoA check box.

On the same tab, select the appropriate CoA type from the drop-down list. The options are RADIUS Disconnect, Port Bounce, and Reauth.

Click Submit to save the changes.

On the network device, enter the global configuration mode and issue the command aaa server radius dynamic-author to enable Dynamic Authorization.

Optionally, you can specify the source interface, authentication key, and port number for the Dynamic Authorization messages.

Exit the global configuration mode and save the configuration.

 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 4: Secure Connectivity, Lesson 4.2: Implementing TrustSec, Topic 4.2.3: Configuring TrustSec on Cisco ISE and Network Devices, pp. 4-83 to 4-85.