Free Cisco 350-701 Practice Exam with Questions & Answers | Set: 12

The Web Security Appliance (WSA) supports different authentication protocols and schemes to acquire end-user credentials. The most common protocols are NTLMSSP and Kerberos, which are both supported by Active Directory realms. NTLMSSP is a challenge-response authentication protocol that uses a hash of the user’s password to authenticate. Kerberos is a ticket-based authentication protocol that uses a trusted third-party (the Key Distribution Center) to issue tickets to the user and the service. Both protocols are more secure and widely supported than Basic authentication, which sends the user’s credentials in clear text. CHAP, TACACS+, and RADIUS are not supported by the WSA for end-user authentication, although they can be used for external authentication of administrators or for credential encryption. References: 1, 2, 3

https://www.cisco.com/c/en/us/products/collateral/security/web-security-appliance/guide-c07-742373.html

https://frontegg.com/blog/authentication

Cisco Umbrella is a cloud-delivered and SaaS-based solution that provides DNS-layer security and web filtering for internet traffic. It blocks requests to malicious domains or IPs before a connection is even established, and logs and inspects all web traffic for greater transparency, control, and protection1.

However, not all domains or IPs are clearly malicious or benign. Some of them may be risky, meaning that they host both legitimate and malicious content, or that they have a low reputation score based on various factors. For these domains or IPs, Cisco Umbrella offers the option to proxy the traffic through the intelligent proxy, which is a selective web proxy that performs deeper inspection and analysis of the web content2.

The intelligent proxy can apply URL filtering, file inspection, and file type control to the proxied traffic, and block or allow it based on the policy settings. The intelligent proxy can also leverage Cisco Advanced Malware Protection (AMP) and antivirus engines to scan files for malware and threats3.

Therefore, by using the intelligent proxy, Cisco Umbrella can manage traffic that is directed toward risky domains more effectively, and provide an additional layer of security and visibility for the organization.

References :=

Manage the Intelligent Proxy

Manage File Inspection

Cisco Umbrella At a Glance

 The Cisco Umbrella package that supports selective proxy for inspection of traffic from risky domains is SIG Advantage. SIG stands for Secure Internet Gateway, and it is a cloud-based service that provides comprehensive web security and threat intelligence. SIG Advantage includes all the features of DNS Security Advantage, such as DNS-layer protection, intelligent proxy, and cloud-delivered firewall, plus additional features such as full proxy, SSL decryption, advanced malware protection, and data loss prevention. Selective proxy is a feature that allows Umbrella to route risky domain requests to a proxy for deeper URL and file inspection, without impacting the performance or latency of legitimate traffic. Selective proxy is based on the reputation of the domains, which are classified into three categories: good, bad, and grey. Good domains are allowed without proxying, bad domains are blocked at the DNS layer, and grey domains are proxied for further inspection. Selective proxy is available in both DNS Security Advantage and SIG Advantage packages, but only SIG Advantage offers full proxy for all web traffic, which provides more granular control and visibility over web transactions and file types. References:

Cisco Umbrella Packages

Why Umbrella DNS Security?

Manage the Intelligent Proxy

Cisco Umbrella - Selected Proxy versus Full Proxy

 Cisco ISE supports two types of WebAuth for BYOD: central WebAuth and local WebAuth. Central WebAuth is the default method and it uses the ISE portal to authenticate the users and redirect them to the BYOD portal. Local WebAuth is an alternative method that uses the network access device (NAD) portal to authenticate the users and then redirects them to the ISE BYOD portal. Both methods require the configuration of a guest component on ISE, which is used to create the BYOD portal and the guest user accounts. The guest component also provides the self-service onboarding and registration features for the BYOD users. The dual component is not related to BYOD, but rather to the dual-SSID method, which uses two separate SSIDs for provisioning and access. The null WebAuth component is not a valid option for BYOD. References :=

Some possible references are:

Cisco ISE BYOD Prescriptive Deployment Guide

Configure Single SSID Wireless BYOD on Windows and ISE

Cisco ISE for BYOD and Secure Unified Access, 2nd Edition

two-factor authentication. Two-factor authentication (2FA) is a security measure that requires users to provide two pieces of evidence to verify their identity before accessing SaaS-based applications1. These pieces of evidence can be something the user knows (such as a password or a PIN), something the user has (such as a smartphone or a token), or something the user is (such as a fingerprint or a face scan)1. 2FA enhances the security of SaaS-based applications by making it harder for attackers to compromise login credentials and gain unauthorized access to sensitive data and resources2. The other options are not correct because they are not sufficient to secure SaaS-based applications. Modular policy framework (MPF) is a feature of Cisco ASA that allows administrators to create and apply security policies to traffic flows3. However, MPF alone cannot protect SaaS-based applications from web-based threats or data breaches. Application security gateway (ASG) is a device that provides firewall, intrusion prevention, and content filtering services for web applications4. However, ASG cannot prevent credential theft or account takeover attacks that target SaaS-based applications. End-to-end encryption (E2EE) is a method of encrypting data in transit and at rest, so that only the sender and the receiver can decrypt it. However, E2EE cannot prevent unauthorized access to SaaS-based applications if the encryption keys are compromised or stolen. References:

1: What is Two-Factor Authentication (2FA)?

2: How to Secure Your SaaS Applications

3: Modular Policy Framework Overview

4: What is an Application Security Gateway?

: What is End-to-End Encryption?

 The Cisco ESA uses the Sender Domain Reputation (SDR) service to assign a reputation verdict to each message based on the sender’s domain and other attributes. The SDR verdicts range from Awful to Good, and each verdict has a corresponding reputation score. The administrator can configure a message or content filter to take action on messages based on their SDR verdict or score. For example, the administrator can set a threshold score to drop messages that have a poor or awful reputation. However, if the SDR service cannot determine a verdict for a message, it assigns an undetermined verdict with a score of -1. This means that the message will not be dropped by the filter unless the administrator explicitly sets the threshold to -1 or lower. Therefore, the reason why the Cisco ESA is not dropping files that have an undetermined verdict is because the file has a reputation score that is above the threshold. References :=

Some possible references are:

Configure Sender Domain Reputation for ESA

Sender Domain Reputation Filtering

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 (source book)

Explanation

The version 9 export format uses templates to provide access to observations of IP packet flows in a flexible and extensible manner. A template defines a collection of fields, with corresponding descriptions of structure and semantics.

 To configure the Cisco ASA via ASDM for SNMPv3, the administrator needs to perform two main tasks: specify an SNMP user group and add an SNMP USM entry. An SNMP user group defines the access level and security model for a group of SNMP users. An SNMP USM entry defines the authentication and encryption parameters for a specific SNMP user. These two tasks are required for SNMPv3 because it uses a user-based security model (USM) that provides secure access to the MIB objects. SNMPv3 does not use a community string, which is a shared password used by SNMPv1 and SNMPv2c. The SNMP manager and UDP port are optional parameters that can be specified to customize the SNMP communication. The SNMP host access entry is also optional and can be used to restrict the access of SNMP hosts to specific interfaces or networks. References :=

Some possible references are:

SNMP Configuration, Verification and Troubleshooting on ASA

How to configure SNMP v3 on Cisco Switch, Router, ASA, Nexus

SNMP Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

The W32/AutoRun worm is a type of malware that spreads through removable drives, such as USB flash drives, and modifies the autorun.inf file to execute itself when the drive is inserted. The worm also attempts to connect to a remote server and download additional malicious files. One of the features of this worm is that it generates random domain names based on the current date and time, and sends DNS requests to these domains. This is a technique to evade detection and analysis, as well as to communicate with the command and control server. The DNS requests generated by the worm have a distinctive pattern, such as the length of the domain name, the number of subdomains, and the use of redacted characters. By comparing these features to the expected behavior of normal DNS requests, security analysts can identify the presence of the worm and block its traffic. References :=

Some possible references are:

W32/AutoRun worm

DNS requests malicious attack

Four major DNS attack types and how to mitigate them