Free Cisco 350-701 Practice Exam with Questions & Answers | Set: 8

NetFlow is a baseline form of telemetry that is recommended for network infrastructure devices. NetFlow is a technology that collects and exports information about IP traffic flows on enabled interfaces. NetFlow can provide valuable insight into the network performance, utilization, behavior, and security. NetFlow can help identify anomalies, such as DDoS attacks, malware, or misconfigurations, by comparing the current traffic patterns with the normal or baseline ones. NetFlow can also help with capacity planning, troubleshooting, and forensic analysis. NetFlow is supported on various Cisco platforms, such as routers, switches, firewalls, and IPS sensors. NetFlow can export data to different collectors and analyzers, such as Cisco Security Monitoring, Analysis and Response System (CS-MARS), Cisco Traffic Anomaly Detectors and Cisco Guard DDoS Mitigation Appliances, Cisco Network Analysis Module (NAM), and other third-party tools. References:

In order to send web traffic transparently to the Web Security Appliance (WSA), the system administrator can use one of these two methods:

Policy-based routing (PBR) on the network infrastructure: This method allows the administrator to define routing policies based on the source or destination IP address, port number, protocol, or other criteria of the web traffic. The administrator can then apply these policies to the network interfaces or subinterfaces and redirect the matching traffic to the WSA. This method does not require any configuration on the client side and can be applied to any type of web traffic, including HTTPS and FTP. However, this method may require additional network resources and maintenance, as well as coordination with other network administrators.

Web Cache Communication Protocol (WCCP) on the WSA and the network device: This method allows the administrator to configure the WSA and the network device (such as a router, switch, or firewall) to communicate with each other using WCCP, a Cisco proprietary protocol. The network device acts as a WCCP router and redirects the web traffic to the WSA, which acts as a WCCP client. The WSA then processes the traffic and returns it to the network device, which forwards it to the original destination. This method does not require any configuration on the client side and can be applied to HTTP, HTTPS, and native FTP traffic. However, this method requires that the network device supports WCCP and that the WSA and the network device are in the same Layer 2 domain.

The RAT (Recipient Access Table) is the list that contains the allowed recipient addresses on the Cisco ESA. The RAT controls whether the ESA accepts or rejects messages to a recipient address based on the sender group and the mail policy. The RAT can be configured to allow, relay, or reject messages to specific recipients or domains. The RAT can also be used to apply different message filters or content filters to different recipient groups12. References: 1: Implementing and Operating Cisco Security Core Technologies (SCOR) course, Module 2: Network Security, Lesson 3: Deploying Cisco Email Security Appliance, Topic: Configuring Mail Policies2: Cisco Email Security Appliance User Guide, Release 13.5 - Configuring Mail Policies [Cisco Secure Email Gateway] - Cisco.

 Dynamic ARP Inspection (DAI) is a security feature that protects ARP (Address Resolution Protocol) from an attack like ARP poisoning. ARP poisoning is a technique where an attacker sends forged ARP responses to trick hosts into associating IP addresses with the attacker’s MAC address. This allows the attacker to intercept, modify, or drop traffic between the victims, creating a “man-in-the-middle” scenario. DAI can prevent this attack by validating ARP packets on untrusted interfaces, using information from the DHCP snooping database and/or an ARP access-list. If the ARP packet contains invalid MAC address to IP address bindings, it will be dropped and logged. DAI can also rate-limit ARP packets to mitigate ARP flooding attacks. DAI is configured on a per-VLAN basis and requires DHCP snooping to be enabled on the same VLANs. References :=

Some possible references are:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 2: Network Security, Lesson 2.4: Implement Layer 2 Security

Understanding and Configuring Dynamic ARP Inspection

DAI (Dynamic ARP Inspection)

Device compliance is the state of devices meeting the standards and regulations for the industry or organization. Device compliance policies define the rules and settings that users and devices must meet to be compliant, such as minimum operating systems, disk encryption, or Secure Boot. Device compliance policies can also include actions that apply to devices that are noncompliant, such as alerting users, blocking access, or wiping data. Device compliance policies can be integrated with Conditional Access, which can enforce attribute-driven policies based on the compliance status of the device. Attribute-driven policies are policies that use attributes of the device, user, or resource to determine the level of access or protection. For example, a policy can allow access to a resource only if the device is compliant, the user is in a certain group, and the resource is in a certain location. Attribute-driven policies provide more granular and flexible control over access and security than traditional policies based on roles or permissions. Therefore, the benefit of performing device compliance is providing attribute-driven policies, which is option D. References:

Device compliance policies in Microsoft Intune

Device Compliance settings for Windows 10/11 in Intune

Device Compliance: What it is and why you should use it

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0

Cisco Stealthwatch Cloud is a cloud-delivered and SaaS-based solution that provides visibility and threat detection across the AWS network. It does not require any software agents to be installed on the AWS instances, and it relies on AWS VPC flow logs to collect network traffic metadata. Cisco Stealthwatch Cloud analyzes the flow logs using machine learning and behavioral modeling to detect anomalies and threats, such as data exfiltration, lateral movement, reconnaissance, and compromised instances. Cisco Stealthwatch Cloud also provides contextual information and actionable alerts to help users respond to incidents and remediate issues.

Cisco Umbrella is a cloud-delivered and SaaS-based solution that provides DNS-layer security and web filtering for internet traffic. It does not provide visibility and threat detection for internal AWS network traffic, and it requires software agents to be installed on the endpoints or network devices to enforce policies and redirect DNS requests.

NetFlow collectors are devices or software applications that collect and analyze NetFlow records, which are generated by network devices to capture information about IP traffic flows. NetFlow collectors can provide visibility and threat detection for network traffic, but they are not cloud-delivered or SaaS-based solutions. They also require NetFlow exporters to be configured on the network devices, which may not be supported by AWS.

Cisco Cloudlock is a cloud-delivered and SaaS-based solution that provides cloud security posture management (CSPM) and cloud access security broker (CASB) capabilities for cloud applications and environments. It does not provide visibility and threat detection for AWS network traffic, and it does not rely on AWS VPC flow logs. It focuses on protecting cloud data, users, and configurations from misconfigurations, compliance violations, and malicious activities. References :=

Cisco Stealthwatch Cloud for AWS

Cisco Umbrella

NetFlow

[Cisco Cloudlock]

 Secret key cryptography, also known as symmetric key cryptography, is a type of encryption where a single secret key is used for both encryption and decryption of a message. The cryptographic key is kept secret between the sender and receiver, making it difficult for anyone else to decipher the message. Some of the functions of secret key cryptography are:

Key selection without integer factorization: Secret key cryptography does not rely on complex mathematical problems such as integer factorization or discrete logarithms to generate keys. Instead, the keys are chosen randomly or derived from a passphrase or a shared secret. This makes the key generation process faster and simpler than in public key cryptography.

Utilization of less memory: Secret key cryptography uses less memory than public key cryptography, as it only requires one key to be stored and managed. Public key cryptography, on the other hand, requires two keys (public and private) for each user, which increases the memory overhead and complexity of key management.

The other options are not functions of secret key cryptography, but rather characteristics of public key cryptography or asymmetric cryptography, which is a different type of encryption where different keys are used for encryption and decryption. Public key cryptography has the following features:

Utilization of different keys for encryption and decryption: Public key cryptography uses a pair of keys, one public and one private, for each user. The public key can be shared with anyone, while the private key must be kept secret. The public key is used to encrypt messages, while the private key is used to decrypt them. This allows users to communicate securely without having to exchange a secret key beforehand.

Utilization of large prime number iterations: Public key cryptography relies on hard mathematical problems such as integer factorization or discrete logarithms to generate keys. These problems involve finding the prime factors of large numbers or finding the discrete logarithms of numbers in a finite field. These problems are easy to solve in one direction, but hard to solve in the reverse direction. For example, it is easy to multiply two large prime numbers, but hard to find the prime factors of the product. This makes the keys hard to break by brute force or other methods.

Provides the capability to only know the key on one side: Public key cryptography enables users to encrypt messages without knowing the recipient’s key, and vice versa. This is possible because the encryption and decryption keys are different and mathematically related. For example, Alice can encrypt a message with Bob’s public key, and only Bob can decrypt it with his private key. Alice does not need to know Bob’s private key, and Bob does not need to know Alice’s key. This also enables public key cryptography to support digital signatures, which are a way of verifying the identity and integrity of a message.

References :=

What Is Secret Key Cryptography? A Complete Guide - Helenix

Definition of Secret-key Cryptography - Gartner

Transparently identify users with authentication realms – This option is available when one or more authentication realms are configured to support transparent identification using one of the following authentication servers:

Active Directory – Create an NTLM or Kerberos authentication realm and enable transparent user identification. In addition, you must deploy a separate Active Directory agent such as Cisco’s Context Directory Agent. For more information, see Transparent User Identification with Active Directory.

LDAP – Create an LDAP authentication realm configured as an eDirectory, and enable transparent user identification. For more information, see Transparent User Identification with LDAP.

Details:

https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_01001.html#:~:text=Transparently%20identify%20users%20with%20authentication,User%20Identification%20with%20LDAP.

DNSSEC (Domain Name System Security Extensions) is a technology that protects DNS from cache poisoning and spoofing attacks by digitally signing DNS data with cryptographic keys. DNSSEC ensures the integrity and authenticity of DNS responses, preventing attackers from redirecting traffic to malicious domains. Cisco Umbrella supports DNSSEC by performing validation on queries sent from Umbrella resolvers to upstream authorities. This means that Umbrella will only accept DNS responses that are signed and verified by the authoritative servers for each domain. To enable DNSSEC validation, the organization needs to configure Cisco Umbrella and use DNSSEC for domain authentication to authoritative servers. This will ensure that Umbrella resolvers will reject any forged or tampered DNS responses and provide secure DNS resolution for the organization’s network. References :=

Some possible references are:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 2: Network Security, Lesson 2.5: Implement DNS Security

What is DNSSEC and Why Is It Important? - Cisco Umbrella

DNSSEC General Availability – Cisco Umbrella

A network administrator can transparently identify users using Active Directory on the Cisco WSA in two ways:

Create NTLM or Kerberos authentication realm and enable transparent user identification. This option allows the WSA to use the NTLM or Kerberos protocol to authenticate users without prompting them for credentials. The WSA must join the Active Directory domain and have a valid service principal name (SPN) for this option to work1.

Deploy a separate Active Directory agent such as Cisco Context Directory Agent (CDA). This option allows the WSA to receive user-to-IP mappings from the CDA, which monitors the Active Directory domain controllers for user logon events. The CDA must be installed on a Windows server and have access to the domain controllers and the WSA2.

The other options are not ways to transparently identify users using Active Directory on the Cisco WSA. Creating an LDAP authentication realm and disabling transparent user identification will require users to enter their credentials manually. Installing the eDirectory client on each client workstation or deploying a separate eDirectory server are not related to Active Directory, but to Novell eDirectory, which is a different directory service3.

References := 1: User Guide for AsyncOS 11.0 for Cisco Web Security Appliances, Chapter: Acquire End-User Credentials, Topic: Active Directory/Kerberos, page 4-3. 2: User Guide for AsyncOS 11.0 for Cisco Web Security Appliances, Chapter: Acquire End-User Credentials, Topic: Active Directory Agent, page 4-5. 3: User Guide for AsyncOS 11.0 for Cisco Web Security Appliances, Chapter: Acquire End-User Credentials, Topic: eDirectory, page 4-8.

Cisco Umbrella groups harmful destinations into categories of security threat, such as Malware, Command Control Callbacks, Phishing Attacks, Dynamic DNS, Potentially Harmful Domains, DNS Tunneling VPN, and Cryptomining1. When web policies are configured in Cisco Umbrella, the security category blocking provides the ability to ensure that domains are blocked when they host malware, command and control, phishing, and more threats. By enabling or disabling these categories, the administrator can control the identity access to these destinations and protect the network from malicious traffic2. References: 1: Security Categories - Umbrella User Guide 2: Manage Security Settings - Umbrella User Guide

Explanation

Explanation

Cisco’s DNA Center is the only centralized network management system to bring all of this functionality into a single pane of glass.

The Cisco DNA Center RESTful PNP API allows external applications to interact with the Plug and Play (PNP) service of Cisco DNA Center, which automates the onboarding and provisioning of network devices. The PNP API has several endpoints for different operations, such as importing, claiming, updating, and deleting devices. The endpoint that adds and claims a device into a workflow is api/v1/onboarding/pnp-device/import, which takes a JSON payload with the device information and the workflow ID. This endpoint creates a new device entry in the PNP database and associates it with the specified workflow. The workflow defines the configuration template, image, and license to be applied to the device during the provisioning process12. References:

1: See How to Use the Plug and Play API in DNA Center – Part 2

2: Cisco DNA Center Platform User Guide, Release 2.2.3

Malware installation: This may be done by hijacking DNS queries and responding with malicious IP addresses.

Command & Control communication: As part of lateral movement, after an initial compromise, DNS

communications is abused to communicate with a C2 server. This typically involves making periodic DNS

queries from a computer in the target network for a domain controlled by the adversary. The responses contain encoded messages that may be used to perform unauthorized actions in the target network.

Network footprinting: Adversaries use DNS queries to build a map of the network. Attackers live off the terrain so developing a map is important to them.

Data theft (exfiltration): Abuse of DNS to transfer data; this may be performed by tunneling other protocols like FTP, SSH through DNS queries and responses. Attackers make multiple DNS queries from a compromised computer to a domain owned by the adversary. DNS tunneling can also be used for executing commands and transferring malware into the target network.