Pass the Cisco CCNP Security 350-701 Questions and answers with CertsForce

Cisco Umbrella allows you to create custom destination lists that contain specific domains or IP addresses that you want to allow or block. You can then apply these destination lists to your policies to override the default behavior of Umbrella. For example, if you want to block specific addresses using Cisco Umbrella, you can create a destination list with those addresses and set the action to block. Then, you can assign this destination list to the policy that you want to modify. This way, any request to those addresses will be blocked by Umbrella, regardless of the content category or application settings12 References := 1: Manage Policies - Umbrella User Guide 2: Understanding Destination lists supported entries and error messages - Cisco Umbrella

To enable a separated email transfer flow from the Internet and from the LAN, the engineer must use the two-interface deployment mode on the Cisco WSA. This mode allows the WSA to have two separate network interfaces, one for the Internet traffic and one for the LAN traffic. This way, the WSA can apply different policies and settings for each interface, and isolate the email flows from each other. The two-interface mode also provides better performance and security than the single-interface mode, which uses only one network interface for both Internet and LAN traffic12. The other deployment modes, such as multi-context, transparent, or single-interface, do not support a separated email transfer flow from the Internet and from the LAN. References:

Two-interface mode, section “Deployment”.

WSA network configuration, section “Interfaces”.

 ESP (Encapsulating Security Payload) is a cryptographic process that provides origin confidentiality, integrity, and origin authentication for packets. ESP encrypts the payload of an IP packet with a symmetric key, and adds a header and a trailer to the packet. The header contains a security parameter index (SPI) and a sequence number, which are used to identify the security association (SA) and prevent replay attacks. The trailer contains padding and a next header field, which are used to align the packet and indicate the type of the original payload. ESP also adds an authentication data field at the end of the packet, which contains a message authentication code (MAC) that is computed over the entire ESP packet (except for the authentication data field itself) using a secret key and a hash function. The MAC provides data integrity and origin authentication for the packet. ESP can operate in two modes: tunnel mode and transport mode. In tunnel mode, ESP encapsulates the entire original IP packet, including the IP header, and adds a new IP header. This mode provides protection for the entire packet, but adds more overhead. In transport mode, ESP only encapsulates the payload of the original IP packet, and leaves the IP header intact. This mode provides protection only for the payload, but preserves the original IP header information. ESP is one of the two main protocols of IPsec, along with AH (Authentication Header). AH only provides data integrity and origin authentication, but not confidentiality. AH adds a header to the IP packet, which contains a MAC that is computed over the immutable fields of the IP header and the entire payload. AH does not encrypt the payload, and therefore does not protect it from eavesdropping. AH can also operate in tunnel mode or transport mode, but it is incompatible with NAT devices, which modify the IP header fields. IKE (Internet Key Exchange) is a protocol that is used to establish and manage SAs for IPsec. IKE negotiates the security parameters, such as the encryption and authentication algorithms, the keys, and the SPIs, for the IPsec protocols. IKE also performs mutual authentication between the IPsec peers, and establishes a secure channel for exchanging keying material. IKE has two versions: IKEv1 and IKEv2. IKEv1 consists of two phases: phase 1 and phase 2. In phase 1, IKEv1 establishes an IKE SA, which is a secure channel for phase 2. In phase 2, IKEv1 negotiates one or more IPsec SAs, which are used to protect the IPsec traffic. IKEv2 simplifies the IKE protocol by combining the two phases of IKEv1 into a single exchange. IKEv2 also supports more features, such as NAT traversal, EAP authentication, and MOBIKE. References :=

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: VPN Technologies, Lesson 3.1: Site-to-Site VPNs, Topic 3.1.1: IPsec VPNs

IPsec - Wikipedia

AH and ESP protocols - IBM

How TLS provides identification, authentication, confidentiality, and integrity - IBM

Explanation

Spero analysis is a feature of Cisco AMP for Networks that examines structural characteristics such as metadata and header information in executable files. After generating a Spero signature based on this information, if the file is an eligible executable file, the device submits it to the Spero heuristic engine in the AMP cloud for analysis1. Spero analysis can detect malware based on the file’s structure and behavior, without requiring a full file upload2. Spero analysis is different from dynamic analysis, sandbox analysis, and malware analysis, which are other features of Cisco AMP for Networks that perform different types of file inspection and analysis3. References: 1: How to configure Firepower AMP to not upload files to … - Cisco Community 2: File Policies - Network Direction 3: Cisco AMP for Networks - Cisco