Pass the Cisco CCNP Security 350-701 Questions and answers with CertsForce

To route inbound email to Cisco Cloud Email Security (CES), the engineer must modify the MX record of the domain to point to the CES hostname or IP address. The MX record is a DNS record that specifies the mail server responsible for accepting email messages on behalf of a domain name. By changing the MX record, the engineer can direct all incoming email traffic to the CES gateway, where it can be filtered and scanned for threats before being delivered to the Microsoft Office 365 mailboxes. The other options are not relevant for this task. A CNAME record is a DNS record that maps an alias name to a canonical name. An SPF record is a DNS record that identifies the authorized senders of email for a domain. A DKIM record is a DNS record that contains a public key for verifying the digital signature of email messages sent from a domain. References :=

Some possible references for this question are:

Configure Microsoft 365 with Secure Email

Configure Microsoft 365 with Secure Email - More

[Cisco Cloud Email Security - Configuration Guide]

 The Atomic ARP engine is a signature engine that defines basic Layer 2 ARP signatures and provides more advanced detection of the ARP spoof tools dsniff and ettercap. ARP spoofing is an attack that involves sending spoofed ARP messages over a local area network to associate the attacker’s MAC address with the IP address of the target. The Atomic ARP engine inspects the Layer 2 ARP protocol and compares the ARP requests and replies with the MAC address table to detect any anomalies or inconsistencies. The Atomic ARP engine can also detect gratuitous ARP messages, which are unsolicited ARP replies that can be used to poison the ARP cache of other hosts. The Atomic ARP engine is different from other IPS engines because most engines are based on Layer 3 IP protocol. References := 

https://www.cisco.com/c/en/us/td/docs/security/ips/6-1/configuration/guide/cli/cliguide/cli_signature_engines.html

https://security.stackexchange.com/questions/71023/can-suricata-ips-detect-and-prevent-arp-poisoning-attacks

Stateful failover means that the connection state information is replicated from the active ASA to the standby ASA, so that in the event of a failover, the connections are preserved and do not need to be reestablished. Stateless failover means that the connection state information is not replicated, so that in the event of a failover, the connections are dropped and need to be reestablished by the end hosts. Stateful failover provides a smoother transition and less disruption to the network traffic, while stateless failover is simpler and less resource-intensive. References:

Failover for High Availability - Cisco

Failover Types / ASA Failover Addresses / Failover Requirements | Cisco …

Explanation

Unlike the traditional software life cycle, the CI/CD implementation process gives a weekly or daily update

instead of monthly or quarterly. The fun part is customers won’t even realize the update is in their applications,

as they happen on the fly.

Cisco ASA NetFlow v9 Secure Event Logging (NSEL) is a security logging mechanism that is built on NetFlow Version 9 technology and provides stateful, IP flow tracking for significant events in a flow. NSEL requires a collector to receive and process the exported data records. To configure NSEL, you need to define a flow-export event type under a policy using the Modular Policy Framework (MPF). The event type specifies which events to export, such as flow-create, flow-denied, flow-teardown, flow-update, or all. You also need to configure the NSEL collectors, the template timeout intervals, and the flow-update interval. Optionally, you can disable the redundant syslog messages and reset the runtime counters.

The other statements are false because:

To view bandwidth usage for NetFlow records, the QoS feature is not required. You can use a NetFlow collector or analyzer to view the bandwidth usage and other statistics from the exported data records.

A sysopt command cannot be used to enable NSEL on a specific interface. NSEL is enabled globally on all interfaces by default when you configure a flow-export event type under a policy.

NSEL cannot be used without a collector configured. NSEL exports data records to the configured collectors using NetFlow over UDP. If no collector is configured, the data records are discarded.

 MFA stands for multi-factor authentication, which is a security method that requires users to provide two or more pieces of evidence to verify their identity before accessing a system. MFA can prevent unauthorized access to the system if a user’s password is compromised, because the attacker would also need to obtain the other factors, such as a one-time code, a biometric scan, or a physical token. MFA can be implemented using various technologies, such as SMS, email, phone call, mobile app, or hardware device. According to Microsoft, adopting MFA can prevent approximately 99.9% of compromised user accounts, significantly bolstering security measures against unauthorized access12. References:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 6: Secure Network Access and Visibility, Lesson 6.1: Implementing Secure Network Access

350-701 SCOR - Cisco, Exam Topics, 6.1 Implement secure network access

What Is Unauthorized Access? 5 Key Prevention Best Practices - Cynet, Best Practice #3: Implement multi-factor authentication

Unauthorized Access: Top 8 Practices for Detecting and Responding - Ekran System, Best Practice #3: Use multi-factor authentication

Explanation

Explanation

You specify primary and secondary actions that the appliance will take when it detects a possible DLP violation

in an outgoing message. Different actions can be assigned for different violation types and severities.

Primary actions include:

– Deliver

– Drop

– Quarantine

Secondary actions include:

– Sending a copy to a policy quarantine if you choose to deliver the message. The copy is a perfect clone of the

original, including the Message ID. Quarantining a copy allows you to test the DLP system before deployment in

addition to providing another way to monitor DLP violations. When you release the copy from the quarantine,

the appliance delivers the copy to the recipient, who will have already received the original message.

– Encrypting messages. The appliance only encrypts the message body. It does not encrypt the message

headers.

– Altering the subject header of messages containing a DLP violation.

– Adding disclaimer text to messages.

– Sending messages to an alternate destination mailhost.

– Sending copies (bcc) of messages to other recipients. (For example, you could copy messages with critical

DLP violations to a compliance officer’s mailbox for examination.)

– Sending a DLP violation notification message to the sender or other contacts, such as a manager or DLP

compliance officer.

CoA stands for Change of Authorization, which is a feature that allows a RADIUS server to adjust an active client session after it is authenticated. For example, CoA can be used to reauthenticate a client, terminate a client session, or change the VLAN or group policy of a client. CoA is supported by several RADIUS vendors, including Cisco ISE. CoA is defined in RFC 5176 and uses a pushed model, where the request originates from the RADIUS server and is sent to the network device that acts as a listener. CoA requests can have two possible response codes: CoA-ACK (acknowledgment) or CoA-NAK (non-acknowledgment). References :=

Some possible references are:

RADIUS Change of Authorization

Change of Authorization with RADIUS (CoA) on MR Access Points

Change of Authorization with RADIUS (CoA) on MS Switches

Technical Tip: Radius COA behavior

 A security application that notifies a controller within a software-defined network architecture about a specific security threat is using a northbound API. A northbound API is an interface that enables communication between the SDN controller and the applications or management systems that use the network services1. A security application can use a northbound API to send alerts, requests, or commands to the SDN controller, which can then take appropriate actions on the network devices or policies2. For example, a security application can use a northbound API to inform the SDN controller about a malicious traffic pattern, and the SDN controller can then block or redirect the traffic using a southbound API3.

 1: What is Software-Defined Networking (SDN)? | VMware Glossary 2: Intent-Based Networking’s Next Evolution: The DNA Center Platform - Cisco Blogs 3: Cisco SDN Security: Securing the Software Defined Network - Cisco

Explanation

Explanation

Cisco Advanced Phishing Protection provides sender authentication and BEC detection capabilities. It uses advanced machine learning techniques, real-time behavior analytics, relationship modeling, and telemetry to protect against identity deception-based threats.

To achieve the goal of excluding some servers from the VPN tunnel and accessing them directly, the engineer must modify the group policy that is applied to the remote access VPN users. The group policy contains the settings for split tunneling, which is a feature that allows the VPN client to route some traffic through the VPN tunnel and some traffic directly to the internet. Split tunneling can be configured based on the destination IP address, the application, or the domain name of the traffic. By modifying the group policy, the engineer can specify which servers or networks should be excluded from the VPN tunnel and accessed directly by the VPN client. This can improve the performance and efficiency of the VPN connection, as well as reduce the load on the VPN gateway and the corporate network. However, split tunneling also introduces some security risks, such as exposing the VPN client to internet threats, bypassing the corporate firewall and security policies, and leaking sensitive data. Therefore, the engineer must carefully evaluate the trade-offs and best practices of using split tunneling for remote access VPNs. References :=

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Secure Connectivity, Lesson 3.1: Implementing and Troubleshooting Remote Access VPN, Topic 3.1.4: Configure and Verify Remote Access VPN, Subtopic 3.1.4.2: Configure and Verify Split Tunneling

VPN Split Tunneling: What It Is & Pros and Cons

Cisco ASA - Enable Split Tunnel for Remote VPN Clients