Free Cisco 350-701 Practice Exam with Questions & Answers | Set: 3

This is a type of Outbreak Control list that allows the administrator to create a list of files based on their SHA-256 hash values that will be detected, blocked, and quarantined by the AMP for Endpoints connectors. The Simple Custom Detection list can be applied to a policy and synchronized with the devices that have the AMP connectors installed. This way, the administrator can prevent the execution of specific files without having to quarantine them on the devices.

The other options are incorrect because:

Advanced Custom Detection is a type of Outbreak Control list that allows the administrator to create custom rules based on file attributes, such as file name, size, path, or parent process. These rules can be used to detect and block files that match certain criteria, but they cannot be used to quarantine them.

Blocked Application is a type of Outbreak Control list that allows the administrator to create a list of applications based on their SHA-256 hash values that will be blocked from running on the devices that have the AMP connectors installed. However, this list does not detect or quarantine the applications, only prevents them from executing.

Isolation is a feature of AMP for Endpoints that allows the administrator to isolate a device from the network if it is compromised by malware. This prevents the device from communicating with other devices or the internet, but does not affect the files on the device.

 ESP (Encapsulating Security Payload) is a cryptographic process that provides origin confidentiality, integrity, and origin authentication for packets. ESP encrypts the payload of an IP packet with a symmetric key, and adds a header and a trailer to the packet. The header contains a security parameter index (SPI) and a sequence number, which are used to identify the security association (SA) and prevent replay attacks. The trailer contains padding and a next header field, which are used to align the packet and indicate the type of the original payload. ESP also adds an authentication data field at the end of the packet, which contains a message authentication code (MAC) that is computed over the entire ESP packet (except for the authentication data field itself) using a secret key and a hash function. The MAC provides data integrity and origin authentication for the packet. ESP can operate in two modes: tunnel mode and transport mode. In tunnel mode, ESP encapsulates the entire original IP packet, including the IP header, and adds a new IP header. This mode provides protection for the entire packet, but adds more overhead. In transport mode, ESP only encapsulates the payload of the original IP packet, and leaves the IP header intact. This mode provides protection only for the payload, but preserves the original IP header information. ESP is one of the two main protocols of IPsec, along with AH (Authentication Header). AH only provides data integrity and origin authentication, but not confidentiality. AH adds a header to the IP packet, which contains a MAC that is computed over the immutable fields of the IP header and the entire payload. AH does not encrypt the payload, and therefore does not protect it from eavesdropping. AH can also operate in tunnel mode or transport mode, but it is incompatible with NAT devices, which modify the IP header fields. IKE (Internet Key Exchange) is a protocol that is used to establish and manage SAs for IPsec. IKE negotiates the security parameters, such as the encryption and authentication algorithms, the keys, and the SPIs, for the IPsec protocols. IKE also performs mutual authentication between the IPsec peers, and establishes a secure channel for exchanging keying material. IKE has two versions: IKEv1 and IKEv2. IKEv1 consists of two phases: phase 1 and phase 2. In phase 1, IKEv1 establishes an IKE SA, which is a secure channel for phase 2. In phase 2, IKEv1 negotiates one or more IPsec SAs, which are used to protect the IPsec traffic. IKEv2 simplifies the IKE protocol by combining the two phases of IKEv1 into a single exchange. IKEv2 also supports more features, such as NAT traversal, EAP authentication, and MOBIKE. References :=

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: VPN Technologies, Lesson 3.1: Site-to-Site VPNs, Topic 3.1.1: IPsec VPNs

IPsec - Wikipedia

AH and ESP protocols - IBM

How TLS provides identification, authentication, confidentiality, and integrity - IBM

 To enable CWA for wireless guest access, the ISE engineer needs to configure the following steps on the ISE server:

Create a guest portal with the desired settings and appearance.

Create an authorization profile that references the guest portal and the DACL name for the Airespace ACL configured on the WLC. The DACL name must match the name of the ACL on the WLC exactly. The authorization profile also needs to have the common tasks of Web Redirection and Web Authentication enabled.

Create an authorization policy that matches the unauthenticated devices based on the MAC address or other criteria and applies the authorization profile created in the previous step.

The DACL name is required for the WLC to apply the correct ACL to the guest endpoints and redirect them to the guest portal. Without the DACL name, the WLC will not know which ACL to use and may grant full guest access to the endpoints. Therefore, the correct answer is D.

References :=

Some possible references are:

Central Web Authentication (CWA) for guests with ISE

Understand And Troubleshoot Central Web-Authentication (CWA) In Guest Anchor Set-Up

Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Release 17.3.0 - Guest Access

Explanation

Explanation

The Cisco Application Visibility and Control (AVC) solution leverages multiple technologies to recognize,

analyze, and control over 1000 applications, including voice and video, email, file sharing, gaming, peer-to-peer

(P2P), and cloud-based applications. AVC combines several Cisco IOS/IOS XE components, as well as

communicating with external tools, to integrate the following functions into a powerful solution…

FlexVPN and DMVPN are both Cisco technologies that use point-to-point GRE tunnels to create dynamic VPN networks. However, they differ in some aspects, such as:

FlexVPN is a newer solution that requires newer hardware and IOS versions, while DMVPN is more widely supported on older devices1.

FlexVPN is based on IKEv2, which is a more robust and efficient protocol than IKEv1, which is used by DMVPN (although DMVPN can also use IKEv2)2.

FlexVPN uses static or virtual access interfaces for GRE tunnels, while DMVPN uses a single multipoint GRE interface. This allows more flexibility and visibility for FlexVPN tunnels2.

FlexVPN does not require NHRP registration for spokes to communicate with the hub, while DMVPN does. This simplifies the configuration and reduces the overhead of NHRP3.

FlexVPN has only one standard mode of operation, while DMVPN has three phases with different characteristics and configurations2.

References := 1: what is the difference between dmvpn and flexvpn 2: Cisco FlexVPN DMVPN, Part 1 - Overview and Design 3: DMVPN to FlexVPN Soft Migration Configuration Example

Container orchestration is the automated process of organizing the functions of modular, containerized components that create the infrastructure of an application1. Container orchestration tools, such as Kubernetes, provide a framework for managing containers and microservices architecture at scale2. A feature of container orchestration is the ability to deploy Kubernetes clusters in air-gapped sites, which are isolated from the internet and other networks for security reasons3. Cisco Container Platform (CCP) is a solution that simplifies the deployment and management of Kubernetes clusters in any environment, including air-gapped sites4. CCP provides a data plane that runs on the Kubernetes nodes and handles the container networking, storage, and security. CCP also provides a control plane that runs on a separate management cluster and provides a web-based user interface and API for cluster operations. CCP supports the deployment of Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS) clusters on the data plane, but not on air-gapped sites. References: 1: What Is Container Orchestration? | AppDynamics 2: What is container orchestration? - Red Hat 3: Container orchestration for microservices - Azure Architecture Center 4: Cisco Container Platform Data Sheet : Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 5: Cloud and Network Security, Lesson 5.3: Cisco Cloud Security Solutions, Topic 5.3.2: Cisco Container Platform : Cisco Container Platform User Guide, Release 5.1, Chapter: Deploying Amazon ECS Clusters

Explanation

Umbrella Roaming is a cloud-delivered security service for Cisco’s next-generation firewall. It protects your employees even when they are off the VPN.

Explanation

In order to use AAA along with an external token authentication mechanism, set the “Method” as “Both” in

the Authentication.

The Cloudlock Apps Firewall is a feature of Cisco Cloudlock, which is a cloud-native cloud access security broker (CASB) that helps organizations move to the cloud safely. The Cloudlock Apps Firewall mitigates security concerns from an application perspective by discovering and controlling cloud apps that are connected to a company’s corporate environment, such as Google G Suite or Microsoft Azure Active Directory (AD). These cloud apps are authorized through OAuth to access corporate data and resources via APIs, and may pose risks such as data exfiltration, account compromise, or malicious behavior. The Cloudlock Apps Firewall provides visibility into the app ecosystem, including the app name, category, risk level, access scopes, and number of users. It also allows administrators to ban or allowlist apps based on their risk profile and compliance requirements. Additionally, the Cloudlock Apps Firewall leverages a crowd-sourced Community Trust Rating for each app, which reflects the feedback from other Cloudlock customers on the app’s security and functionality. References :=

Cisco Content Security Products

Cisco Cloudlock - Cisco

Shadow IT Control with Apps Firewall - Cisco

Test scor q151 - q200

Explanation

Cisco Cognitive Threat Analytics helps you quickly detect and respond to sophisticated, clandestine attacks that are already under way or are attempting to establish a presence within your environment. The solution automatically identifies and investigates suspicious or malicious web-based traffic. It identifies both potential and confirmed threats, allowing you to quickly remediate the infection and reduce the scope and damage of an attack, whether it’s a known threat campaign that has spread across multiple organizations or a unique threat you’ve never seen before.

Detection and analytics features provided in Cognitive Threat Analytics are shown below:

+ Data exfiltration: Cognitive Threat Analytics uses statistical modeling of an organization’s network to identify anomalous web traffic and pinpoint the exfiltration of sensitive data. It recognizes data exfiltration even in HTTPS-encoded traffic, without any need for you to decrypt transferred content

+ Command-and-control (C2) communication: Cognitive Threat Analytics combines a wide range of data, ranging from statistics collected on an Internet-wide level to host-specific local anomaly scores. Combining these indicators inside the statistical detection algorithms allows us to distinguish C2 communication from benign traffic and from other malicious activities. Cognitive Threat Analytics recognizes C2 even in HTTPSencoded or anonymous traffic, including Tor, without any need to decrypt transferred content, detecting a broad

range of threats

…

Cisco SensorBase gathers threat information from a variety of Cisco products and services, such as Cisco IPS, Cisco ASA, Cisco IronPort, Cisco Umbrella, and Cisco Talos, and performs analytics to find patterns on threats. This process is called consumption, which is one of the four phases of the Cisco Security Intelligence Operations (SIO) framework. The consumption phase involves collecting, aggregating, and analyzing threat data from multiple sources and providing actionable intelligence and tools to customers and partners. The consumption phase also leverages the Cisco SensorBase Network, which is the world’s largest threat monitoring network that tracks millions of domains and IP addresses around the world and maintains a global watch list for Internet traffic. SensorBase provides Cisco with an assessment of reliability for known Internet domains and IP addresses, based on their reputation score, category, volume, and threat level. SensorBase also provides threat data overviews, such as the top email and spam senders by country, and the standard categories used to classify website content and attack types1234. References := 1: How Cisco’s SensorBase works | Network World 2: What is Cisco SensorBase? - networklore.com 3: User Guide for AsyncOS 15.0 for Cisco Secure Web Appliance - GD … 4: Cisco Security Intelligence Operations At-A-Glance

Explanation

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/

m_ise_interoperability_mdm.html

 To configure a flow-export action on a Cisco ASA, you need to use the flow-export event-type command and the policy-map command. The flow-export event-type command specifies the type of events that trigger the export of NetFlow Security Event Logging (NSEL) records to a collector. The policy-map command creates or modifies a policy map that can be applied to one or more interfaces to specify a service policy. A service policy consists of a traffic class and one or more actions to be applied to the traffic class. One of the actions can be a flow-export action that matches the NSEL events and sends them to a collector. The other commands are not required for configuring a flow-export action. The access-list command creates or modifies an access list that can be used to filter traffic or match traffic classes, but it is not mandatory for a flow-export action. The flow-export template timeout-rate command specifies how often the ASA sends the template to the collector, but it is not part of the flow-export action configuration. The access-group command applies an access list to an interface, but it is not related to the flow-export action. References:

Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6 - Configuring Network Secure Event Logging (NSEL)

Solved: Flow-Export problem - Cisco Community

How to configure NetFlow on Cisco ASA firewalls - Auvik Support

Configuring Cisco’s ASA for NSEL Export to the StealthWatch System