Free Practice Questions for Cisco 350-701 Exam

Explanation

Explanation

… we will showcase Cisco Threat Intelligence Director (CTID) an exciting feature on Cisco’s Firepower

Management Center (FMC) product offering that automates the operationalization of threat intelligence. TID has the ability to consume threat intelligence via STIX over TAXII and allows uploads/downloads of STIX and simple blacklists. Reference: https://blogs.cisco.com/developer/automate-threat-intelligence-using-cisco-threat-intelligencedirector

Explanation

Explanation

The Application Visibility and Control (AVC) engine lets you create policies to control application activity on the network without having to fully understand the underlying technology of each application. You can configure application control settings in Access Policy groups. You can block or allow applications individually or according to application type. You can also apply controls to particular application types.

 The Atomic ARP engine is a signature engine that defines basic Layer 2 ARP signatures and provides more advanced detection of the ARP spoof tools dsniff and ettercap. ARP spoofing is an attack that involves sending spoofed ARP messages over a local area network to associate the attacker’s MAC address with the IP address of the target. The Atomic ARP engine inspects the Layer 2 ARP protocol and compares the ARP requests and replies with the MAC address table to detect any anomalies or inconsistencies. The Atomic ARP engine can also detect gratuitous ARP messages, which are unsolicited ARP replies that can be used to poison the ARP cache of other hosts. The Atomic ARP engine is different from other IPS engines because most engines are based on Layer 3 IP protocol. References := 

https://www.cisco.com/c/en/us/td/docs/security/ips/6-1/configuration/guide/cli/cliguide/cli_signature_engines.html

https://security.stackexchange.com/questions/71023/can-suricata-ips-detect-and-prevent-arp-poisoning-attacks

Time synchronization is one of the features that can be configured for managed devices in the device platform settings of the Firepower Management Center (FMC). Time synchronization ensures that the FMC and its managed devices have the same date and time settings, which is important for accurate event logging and reporting. The FMC can act as a Network Time Protocol (NTP) server for its managed devices, or it can use an external NTP server as a time source1. The FMC can also synchronize its time with the system clock of the device where it is installed2. References := 1: Firepower Management Center Device Configuration Guide, 7.1 - Platform Settings 2: Firepower Management Center Configuration Guide, Version 6.6 - Device Management Basics

NTP uses UDP port 123 to communicate with its servers and peers. If the Cisco ASA has IP reachability to the NTP server and is not filtering any traffic, then the most likely cause of the unsynchronized state and the stratum of 16 is that the NTP server is not working properly or is not configured to provide NTP service. A stratum of 16 means that the NTP server is unreachable or is not considered a viable candidate1. The value.INIT. in the refid column indicates that NTP is initializing, and the server has not yet been reached1. To resolve this issue, the network engineer should verify the status and configuration of the NTP server, and use a different server if needed. Alternatively, the network engineer can use the ntp server command with the prefer keyword to specify a preferred NTP server, or use the ntp update-calendar command to force a resynchronization of NTP2. References:

1: NTP server is unsynchronized or unreachable, a Wireshark perspective.

2: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Network Security, Lesson 1.3: Configuring Network Time Protocol.

Explanation

Only in On-site (on-premises) and IaaS we (tenant) manage O/S (Operating System).

RADIUS Change of Authorization (CoA) is a feature of Cisco ASA that allows VPN users to be postured against Cisco ISE without requiring an inline posture node. RADIUS CoA enables the ISE to send a message to the ASA to change the authorization attributes of an existing VPN session, such as the assigned IP address, ACL, or group policy. This way, the ISE can dynamically adjust the access level of the VPN user based on the posture assessment results, without the need for an intermediate device to enforce the policy change12. RADIUS CoA is supported by the ASA since version 9.2.13. References: 1: ASA Version 9.2.1 VPN Posture with ISE Configuration Example - Cisco 2: How To: ISE and ASA Integration using CoA for Posture - Cisco Community 3: How To Configure Posture with AnyConnect Compliance … - Cisco CommunityQUESTION NO: 94

What two mechanisms are used to redirect users to a web portal to authenticate to ISE for guest services?

(Choose two)

A. multiple factor auth

B. local web auth

C. single sign-on

D. central web auth

E. TACACS+

Answer: B, D

 Local web authentication (LWA) and central web authentication (CWA) are two mechanisms that are used to redirect users to a web portal to authenticate to ISE for guest services. Both methods involve the use of a redirect access control list (ACL) that allows the user to access only the web portal URL and blocks all other traffic until the user is authenticated. The difference between LWA and CWA is where the web portal and the authentication logic are hosted.

LWA: The web portal and the authentication logic are hosted on the wireless LAN controller (WLC). The WLC sends a RADIUS access-accept message to the network access device (NAD) along with the redirect ACL and the web portal URL. The NAD then redirects the user to the web portal on the WLC, where the user enters their credentials. The WLC verifies the credentials with the ISE and grants or denies access to the user. The advantage of LWA is that it does not require any configuration on the ISE, but the disadvantage is that it does not support advanced features such as posture assessment, profiling, or authorization policies.

CWA: The web portal and the authentication logic are hosted on the ISE. The WLC sends a RADIUS access-challenge message to the NAD along with the redirect ACL and the web portal URL. The NAD then redirects the user to the web portal on the ISE, where the user enters their credentials. The ISE verifies the credentials and sends a RADIUS access-accept message to the WLC with the authorization profile and the final ACL. The WLC then applies the authorization profile and the final ACL to the user session. The advantage of CWA is that it supports advanced features such as posture assessment, profiling, or authorization policies, but the disadvantage is that it requires more configuration on the ISE.

References :=

Configure Guest Access

Web Authentication Redirection to Original URL

Configure Local Web Authentication with External Authentication

Explanation

Protect sensitive content in outgoing emails with Data Loss Prevention (DLP) and easy-to-use email

encryption, all in one solution.

Cisco Email Security appliance can now handle incoming mail connections and incoming messages from

specific geolocations and perform appropriate actions on them, for example:

– Prevent email threats coming from specific geographic regions.

– Allow or disallow emails coming from specific geographic regions.

the routing of traffic through the Cisco Umbrella network is to browse to http://welcome.umbrella.com/. This URL will display a message that confirms whether the new network identity is working or not. If the message says “You’re protected by Cisco Umbrella”, then the traffic is being routed correctly. If the message says “You’re not using Cisco Umbrella”, then the traffic is not being routed correctly and the configuration needs to be checked. The other options are not valid actions to test the routing. Option A is incorrect because the client computers should point to the Cisco Umbrella DNS servers, not the on-premises DNS servers. Option B is incorrect because the Intelligent Proxy is a feature that selectively intercepts and proxies web requests for deeper inspection, not a tool to test the routing. Option C is incorrect because adding the public IP address to a Core Identity is a way to identify the network, not a way to test the routing. References:

How To: Successfully test to ensure you’re running Umbrella correctly

Add a Network Identity

Explanation

SQL injection usually occurs when you ask a user for input, like their username/userid, but the user gives

(“injects”) you an SQL statement that you will unknowingly run on your database. For example:

Look at the following example, which creates a SELECT statement by adding a variable (txtUserId) to a select

string. The variable is fetched from user input (getRequestString):

txtUserId = getRequestString(“UserId”);

txtSQL = “SELECT * FROM Users WHERE UserId = ” + txtUserId;

If user enter something like this: “100 OR 1=1” then the SzQL statement will look like this:

SELECT * FROM Users WHERE UserId = 100 OR 1=1;

The SQL above is valid and will return ALL rows from the “Users” table, since OR 1=1 is always TRUE. A

hacker might get access to all the user names and passwords in this database.

Simple Custom Detection is a feature of Cisco AMP for Endpoints that allows administrators to block specific files based on their SHA-256 or MD5 hashes. This feature can be used to detect and quarantine files of unknown disposition, such as abc424400664.zip, by adding their hashes to a custom list in the AMP portal. The list can then be applied to a policy that is assigned to the endpoints. Simple Custom Detection works on files of any type, size, or platform, unlike the other options that are either platform-specific (Android Custom Detection), size-limited (Blocked Application), or signature-based (Advanced Custom Detection). References: 1, 2, 3

Explanation

The data plane of any network is responsible for handling data packets that are transported across the network.

(The data plane is also sometimes called the forwarding plane.)

Maybe this Qwants to ask about the encryption and authentication in the data plane of a SD-WAN network (but SD-WAN is not a topic of the SCOR 350-701 exam?).

In the Cisco SD-WAN network for unicast traffic, data plane encryption is done by AES-256-GCM, a symmetrickey algorithm that uses the same key to encrypt outgoing packets and to decrypt incoming packets. Each router periodically generates an AES key for its data path (specifically, one key per TLOC) and transmits this key to the vSmart controller in OMP route packets, which are similar to IP route updates.