Free Cisco 350-701 Practice Exam with Questions & Answers | Set: 5

Explanation

Each of the ASAs interfaces need to be grouped into one or more bridge groups. Each of these groups acts as an independent transparent firewall. It is not possible for one bridge group to communicate with another bridge group without assistance from an external router.

As of 8.4(1) upto 8 bridge groups are supported with 2-4 interface in each group. Prior to this only one bridge group was supported and only 2 interfaces.

Up to 4 interfaces are permitted per bridge–group (inside, outside, DMZ1, DMZ2)

 Cisco Workload Optimization Manager (CWOM) is a decision-automation engine that provides workloads with the exact resources they need at the right time in accordance with business policies, freeing IT teams to focus on innovation rather than the maintenance of their IT environment1. CWOM is part of the Cisco SecureX platform, which integrates various security solutions, including endpoint protection platforms (EPPs), to provide a unified and simplified security experience2. CWOM does not deploy an AWS Lambda system, optimize a flow path, or set up a workload forensic score. These are not related to CWOM’s functionality or EPP solutions. CWOM automates resource resizing, which means it can dynamically adjust the CPU, memory, disk, and network resources allocated to each workload based on real-time demand and performance metrics1. This helps EPP solutions to solely address performance issues by ensuring that workloads have the optimal resources to run efficiently and securely, without overprovisioning or underutilizing resources3. References: 1: Cisco Workload Optimization Manager (CWOM) - Cisco, 2: Endpoint Protection Platform (EPP) Definition - Cisco, 3: Cisco Intersight Workload Optimizer Data Sheet

Explanation

Explanation

Southbound APIs enable SDN controllers to dynamically make changes based on real-time demands and

scalability needs.

 The error 403: Forbidden indicates that the web server denied access to the requested resource, which in this case is the PCAP file. One possible reason for this error is that the HTTPS server is not enabled for the device platform policy, which is a configuration that applies to the FTD devices managed by the FMC. The device platform policy defines the settings for the management interface, the SSH access, the SNMP, the NTP, the DNS, and the HTTPS server. The HTTPS server allows the FMC to access the FTD devices via HTTPS and perform tasks such as packet capture, packet tracer, and file transfer. If the HTTPS server is not enabled for the device platform policy, the FMC cannot access the PCAP file from the FTD device via HTTPS. Therefore, the engineer must enable the HTTPS server for the device platform policy in order to resolve this issue. To enable the HTTPS server for the device platform policy, the engineer must follow these steps:

Log in to the FMC web interface and navigate to Devices > Platform Settings.

Select the device platform policy that applies to the FTD device and click Edit.

In the General tab, check the Enable HTTPS Server checkbox and click Save.

Deploy the policy changes to the FTD device and wait for the deployment to complete.

Try to access the PCAP file again from the FMC web browser using the same address.

Alternatively, the engineer can also enable the HTTPS server for the FTD device from the FTD CLI using the command configure network https-server enable. However, this method is not recommended because it may cause a configuration conflict with the FMC123

References := 1: Use Firepower Threat Defense Captures and Packet Tracer - Cisco 2: Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.6 - Device Management Basics [Cisco Firepower NGFW] - Cisco 3: Cisco Firepower Threat Defense Command Reference - C through D Commands [Cisco Firepower NGFW] - Cisco

Explanation

Explanation

Cryptographic algorithms defined for use with IPsec include:

+ HMAC-SHA1/SHA2 for integrity protection and authenticity.

+ TripleDES-CBC for confidentiality

+ AES-CBC and AES-CTR for confidentiality.

+ AES-GCM and ChaCha20-Poly1305 providing confidentiality and authentication together efficiently.

The target in a phishing attack is the endpoint, which is the device or system that the user interacts with, such as a computer, smartphone, or tablet. Phishing attacks aim to steal or damage sensitive data by deceiving people into revealing personal information like passwords and credit card numbers, or clicking on malicious links or attachments that can install malware on the endpoint. Phishing attacks can be delivered through various channels, such as email, phone, or text message, but they all rely on social engineering techniques to manipulate the user’s trust and curiosity. By compromising the endpoint, attackers can gain access to the user’s accounts, files, network, or other resources. Therefore, endpoint security is essential to prevent phishing attacks and protect the user’s data and identity. References:

What Is a Phishing Attack? Definition and Types - Cisco

8 types of phishing attacks and how to identify them

What Is Phishing? | Microsoft Security

Phishing | What Is Phishing?

The access control rule in the exhibit has the following characteristics:

The rule name is DMZ_Rule and it is enabled.

The action set for this rule is Trust, meaning traffic matching this rule will not be subjected to further inspection.

The source zones are not specified, meaning any zone can match this rule.

The destination zone is DMZ_Inside, meaning only traffic destined to this zone can match this rule.

Therefore, the effect of this rule is that all traffic from any zone to the DMZ_Inside zone will be permitted with no further inspection. This is the correct answer, option A.

The other options are incorrect because they do not match the configuration of the rule or the behavior of the Trust action. Option B is incorrect because traffic will be allowed through to the DMZ_Inside zone, not blocked. Option C is incorrect because traffic will not be inspected before being allowed to the DMZ_Inside zone. Option D is incorrect because traffic does not need to be trusted to be allowed to the DMZ_Inside zone. References:

Firepower Management Center Configuration Guide, Version 6.6 - Access Control Rules

Firepower Management Center Device Configuration Guide, 7.1 - Access Control Policies

How to Deploy FMC/FTD part 2 – Access Control Policies

Cisco ISE and pxGrid use the IETF (Internet Engineering Task Force) standards to integrate with each other and with other interoperable security platforms. IETF is an open, international community of network designers, operators, vendors, and researchers who produce voluntary standards for the Internet. Cisco pxGrid is based on the IETF standards-track XMPP (Extensible Messaging and Presence Protocol) and RESTCONF (Representational State Transfer Configuration Protocol) technologies. These standards enable Cisco pxGrid to provide a scalable, secure, and open data-sharing platform that supports multiple security products and services. Cisco ISE uses the IETF standards-track RADIUS (Remote Authentication Dial-In User Service) and TACACS+ (Terminal Access Controller Access-Control System Plus) protocols to provide network access control and policy enforcement. Cisco ISE also supports the IETF standards-track SXP (Security Group Tag eXchange Protocol) to propagate security group tags across the network. By using the IETF standards, Cisco ISE and pxGrid can interoperate with other security platforms that support the same standards, such as Infoblox, Splunk, Rapid7, and more. References:

Cisco pxGrid - Cisco

ISE pxGrid General Information & FAQ - Cisco Community

How To: Integrate Cisco WSA using ISE and TrustSec via pxGrid

Infoblox DDI, Cisco ISE, and the pxGrid Solution Platform

Microsegmentation is a network security technique that enables security architects to logically divide the data center or cloud environment into distinct security segments down to the individual workload level, and then define security controls and deliver services for each unique segment. Microsegmentation software with network virtualization technology is used to create zones in cloud deployments. These granular secure zones isolate workloads, securing them individually with custom, workload-specific policies. Microsegmentation uses a zero-trust model, which means that no traffic is allowed by default, and only explicitly authorized traffic is permitted based on the principle of least privilege. Microsegmentation helps to reduce the attack surface, prevent the lateral movement of threats, and strengthen regulatory compliance. The other options are incorrect because they do not describe microsegmentation accurately. Option B is incorrect because container orchestration platforms, such as Kubernetes, are used to automate the deployment, scaling, and management of containerized applications, but they do not provide microsegmentation by themselves. Option C is incorrect because private VLAN segmentation is a network security technique that isolates hosts within the same VLAN, but it does not provide granular security controls at the workload level. Option D is incorrect because host-based firewall rules are one of the components of microsegmentation, but they are not sufficient to implement microsegmentation without network virtualization and policy automation. References : What Is Microsegmentation? - Palo Alto Networks, What Is Micro-Segmentation? - Cisco, What is Micro-Segmentation? | VMware Glossary

 Cisco Web Security Appliance (WSA) is the platform that automatically blocks risky sites, and tests unknown sites for hidden advanced threats before allowing users to click them, using Cisco Cognitive Threat Analytics. Cisco Cognitive Threat Analytics is a cloud-based solution that reduces the time to discovery of threats operating inside the network by analyzing web traffic and detecting anomalous behavior. Cisco WSA integrates with Cisco Cognitive Threat Analytics to provide enhanced web security and breach detection. Cisco WSA can also leverage other Cisco security solutions, such as Cisco Umbrella, Cisco Advanced Malware Protection (AMP), and Cisco Talos Intelligence Group, to provide comprehensive web security. References:

Cisco Web Security Appliance (WSA)

Cisco Cognitive Threat Analytics At-a-Glance

Introducing Cisco Cognitive Threat Analytics

Implementing and Operating Cisco Security Core Technologies (SCOR) - Module 3: Cloud and Content Security

WannaCry ransomware is a type of malware that encrypts the files on the infected devices and demands a ransom for their decryption. It exploits a vulnerability in the Windows SMB protocol that allows remote code execution. To prevent WannaCry ransomware from spreading to all clients, IT should take the following precautions:

Ensure that noncompliant endpoints are segmented off to contain any potential damage. This means that any device that is not patched, managed, or compliant with the security policies should be isolated from the rest of the network and given limited access to resources. This can be done using Cisco Identity Services Engine (ISE) and Cisco TrustSec, which can enforce dynamic segmentation based on the device’s identity, posture, and context. This way, IT can prevent the ransomware from infecting other devices and reduce the impact of the attack12

Perform a posture check to allow only network access to those Windows devices that are already patched. This means that IT should verify that the devices have installed the latest security updates from Microsoft that fix the SMB vulnerability. This can be done using Cisco AnyConnect Secure Mobility Client, which offers a VPN Posture/HostScan Module and an ISE Posture Module. Both modules can assess the endpoint’s compliance for things like operating system, patches, antivirus, antispyware, and firewall software. If the device is not patched, it can be denied access to the network or redirected to a remediation portal13

 1: Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.0 - Configure Posture 2: Can We Trust Your Device? Checking Security Posture - Cisco 3: Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.10 - Configure Posture

Explanation

In its essence, FlexVPN is the same as DMVPN. Connections between devices are still point-to-point GRE tunnels, spoke-to-spoke connectivity is still achieved with NHRP redirect message, IOS routers even run the same NHRP code for both DMVPN and FlexVPN, which also means that both are Cisco’s proprietary technologies.

Cisco Identity Services Engine (ISE) uses various probes to collect attributes of connected endpoints, such as device type, operating system, IP address, MAC address, and so on. These attributes are used to profile the endpoints and assign them to appropriate identity groups and policies. Two of the probes that can be configured to gather attributes of connected endpoints using Cisco ISE are RADIUS and DHCP.

RADIUS probe: The RADIUS probe collects attributes from the RADIUS packets that are exchanged between the network access devices (NADs) and the ISE Policy Service Nodes (PSNs) during the authentication and authorization process. The RADIUS probe can extract attributes such as username, calling-station-ID, NAS-IP-address, NAS-port-type, service-type, and so on. The RADIUS probe can also collect attributes from the RADIUS accounting packets that are sent by the NADs to the ISE PSNs after the session is established. The RADIUS probe can extract attributes such as session-ID, framed-IP-address, acct-session-time, and so on. The RADIUS probe is enabled by default and does not require any additional configuration on the NADs or the ISE PSNs.

DHCP probe: The DHCP probe collects attributes from the DHCP packets that are exchanged between the endpoints and the DHCP server during the IP address assignment process. The DHCP probe can extract attributes such as hostname, vendor-class-identifier, client-identifier, parameter-request-list, and so on. The DHCP probe can also collect attributes from the DHCP relay packets that are forwarded by the NADs to the ISE PSNs. The DHCP probe can extract attributes such as relay-agent-information and subscriber-ID. The DHCP probe requires some configuration on the NADs and the ISE PSNs. The NADs must be configured to relay or copy the DHCP packets to the ISE PSNs, and the ISE PSNs must be configured to receive the DHCP packets on a specific interface.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_assetvisibility_endpointprofiler.html

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_00.html