Pass the Cisco CCNP Security 350-701 Questions and answers with CertsForce

 A SYN flood is a type of denial-of-service (DoS) attack that exploits the TCP three-way handshake process to exhaust the resources of a target server. The attacker sends a large number of SYN packets to the target server, each with a spoofed source IP address. The target server allocates resources for each incoming SYN packet and responds with a SYN-ACK packet to the spoofed address. However, the spoofed address never sends back the final ACK packet to complete the connection, leaving the target server with many half-open connections that eventually fill up its connection table. This prevents the target server from accepting new legitimate connections and causes service disruption123 References: 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 course overview 2: SYN Flood Explained. How to Prevent this Attack from Taking over your … 3: What is a SYN flood attack? | Cloudflare

Explanation

Explanation

Cisco ISE allows a global configuration to issue a Change of Authorization (CoA) in the Profiler Configuration

page that enables the profiling service with more control over endpoints that are already authenticated.

One of the settings to configure the CoA type is “Reauth”. This option is used to enforce reauthentication of an already authenticated endpoint when it is profiled.

Explanation

Each of the ASAs interfaces need to be grouped into one or more bridge groups. Each of these groups acts as an independent transparent firewall. It is not possible for one bridge group to communicate with another bridge group without assistance from an external router.

As of 8.4(1) upto 8 bridge groups are supported with 2-4 interface in each group. Prior to this only one bridge group was supported and only 2 interfaces.

Up to 4 interfaces are permitted per bridge–group (inside, outside, DMZ1, DMZ2)

Explanation

Explanation

A Directory Harvest Attack (DHA) is a technique used by spammers to find valid/existent email addresses at a domain either by using Brute force or by guessing valid e-mail addresses at a domain using different

permutations of common username. Its easy for attackers to get hold of a valid email address if your

organization uses standard format for official e-mail alias (for example: jsmith@example.com). We can

configure DHA Prevention to prevent malicious actors from quickly identifying valid recipients.

Note: Lightweight Directory Access Protocol (LDAP) is an Internet protocol that email programs use to look up contact information from a server, such as ClickMail Central Directory. For example, here’s an LDAP search translated into plain English: “Search for all people located in Chicago who’s name contains “Fred” that have an email address. Please return their full name, email, title, and description.

Cisco Firepower impact flags are indicators that help you evaluate the impact an intrusion has on your network by correlating intrusion data, network discovery data, and vulnerability information1. Impact flags are assigned to intrusion events based on the following criteria:

The operating system and application protocol of the target host

The exploitability of the target host by the attacker

The relevance of the intrusion rule to the target host

The severity of the intrusion rule Impact flags can have four values: unknown, neutral, affected, or vulnerable. Unknown means that the system does not have enough information to assess the impact. Neutral means that the system knows the target host is not affected by the intrusion. Affected means that the system knows the target host is affected by the intrusion, but not necessarily exploitable. Vulnerable means that the system knows the target host is exploitable by the intrusion1. Impact flags can help you prioritize your response to intrusion events, as well as generate reports and alerts based on the impact level. You can also use impact flags to filter and search for intrusion events in the Firepower Management Center1. References: 1: Firepower Management Center Configuration Guide, Version 6.1 - External Alerting with Alert Responses.

Explanation

In explicit proxy mode, users are configured to use a web proxy and the web traffic is sent directly to the Cisco WSA. In contrast, in transparent proxy mode the Cisco WSA intercepts user's web traffic redirected from other network devices, such as switches, routers, or firewalls.

ZBFW stands for Zone-Based Firewall, which is a feature that allows unidirectional application of IOS firewall policies between groups of interfaces known as zones. Interfaces are assigned to zones, and firewall rules are applied to specific types of traffic moving in one direction between the zones. ZBFW enforces a secure inter-zone policy by default, meaning traffic cannot pass between security zones until an explicit policy allowing that traffic is defined. The zone itself is an abstraction of multiple interfaces with the same or similar security requirements that can be logically grouped together. ZBFW is CBAC’s replacement and offers intuitive policies for multiple-interface routers, increased granularity of firewall policy application, and a default deny-all policy that prohibits traffic between firewall security zones until an explicit policy is applied to allow desirable traffic. ZBFW is supported on IOS devices running 12.4(6)T or later, and ASR devices running 12.2(33) or later. References:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 4: Securing the Cloud, Lesson 4.1: Introducing Cisco Cloud Services Router 1000V Series, Topic 4.1.2: Zone-Based Firewall

Understand the Zone-Based Policy Firewall Design

Managing Zone-based Firewall Rules

Zone Based Firewall Overview

CBAC vs. Zone-based firewall

Dynamic Multipoint VPN (DMVPN) is a Cisco IOS Software-based security solution for building scalable enterprise VPNs that support distributed applications such as voice and video. DMVPN provides scalability for organizations with many remote sites by using a hub-and-spoke topology with dynamic tunnels between spokes. This reduces the number of static tunnels required and simplifies the configuration and management of the VPN. DMVPN also supports dynamic routing protocols, multicast traffic, and quality of service (QoS) features, making it suitable for various network scenarios and requirements12 References := 1: Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications 2: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0

 Cisco Duo is a cloud-based solution that provides multi-factor authentication (MFA) and device trust for secure access to applications and data. MFA adds an extra layer of security by requiring users to verify their identity with something they know (such as a password) and something they have (such as a phone or a hardware token). Device trust ensures that only trusted devices can access sensitive resources by checking the device health and compliance. Cisco Duo can help prevent social engineering attacks by making it harder for hackers to impersonate legitimate users or compromise their credentials. Cisco Duo can also integrate with other Cisco security products, such as Cisco AnyConnect, Cisco AMP for Endpoints, and Cisco Umbrella, to provide a comprehensive security solution. References :=

Cisco Duo Security

Cisco Duo: Multi-Factor Authentication

Cisco Duo: Device Trust

Cisco Security Core Technologies SCOR

NetFlow Secure Event Logging (NSEL) is a security logging mechanism that is built on NetFlow Version 9 technology. It provides a stateful, IP flow tracking method that exports only those records that indicate significant events in a flow, such as flow-create, flow-teardown, and flow-denied. NSEL events are triggered by the event that caused the state change in the flow. This reduces the amount of data that is exported and provides more relevant information for security analysis. NSEL also supports periodic flow-update events, which provide byte counters over the duration of the flow. These events are usually time-driven, but may also be triggered by state changes in the flow. NSEL uses templates to describe the format of the data records that are exported through NetFlow. Each event has several record formats or templates associated with it. NSEL delivers templates and data records to configured NSEL collectors through NetFlow over UDP only. NSEL also allows filtering of NSEL events based on the traffic and event type through Modular Policy Framework, and then sends records to different collectors. The supported event types are flow-create, flow-denied, flow-teardown, flow-update, and all. References :=

Some possible references are:

NetFlow Secure Event Logging (NSEL) - Cisco

NetFlow Secure Event Logging (NSEL) - Cisco

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 (source book)

Multifactor authentication (MFA) is a security measure that requires two or more proofs of identity to grant access to network resources. These proofs can be something the user knows (such as a password or a PIN), something the user has (such as a token or a card), or something the user is (such as a fingerprint or a face scan). The benefit of using MFA is that it adds an extra layer of protection against unauthorized access, especially if the first factor (such as a password) is compromised or stolen. By requiring a second validation of identity, MFA reduces the risk of data breaches and identity theft. MFA can also help comply with regulatory and industry standards that mandate strong authentication for sensitive data and systems. References :=

Some possible references are:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Security Concepts, Lesson 1.3: Identity and Access Management

Multi-factor authentication best practices & strategy, NordLayer Blog

How to implement Multi-Factor Authentication (MFA), Microsoft Security Blog

Multi-factor authentication, Cyber.gov.au

What is Multi-Factor Authentication?, IBM

Cisco DNA Center APIs are RESTful APIs that allow you to automate and operate your network at scale, using Python scripts or other tools. They are not Cisco proprietary, as they follow the OpenAPI specification and can be accessed by any client that supports HTTP requests. They do not require Postman, although Postman is a useful tool to test and explore the API endpoints. They can quickly provision new devices by applying predefined templates and workflows, and they can view the overall health of the network by retrieving metrics and alerts from various sources. References :=

Cisco DNA Center Platform - Cisco DevNet

Introduction to Cisco DNA Center REST APIs - Cisco DevNet Learning Labs

Cisco DNA Center Platform User Guide, Release 2.3.4

SSL decryption allows the intelligent proxy to inspect traffic over HTTPS. Some websites may use self-signed certificates or certificates that are not trusted by the user’s device. This may cause the browser to display a warning or an error message when accessing those websites through the intelligent proxy. To avoid this, the user’s device needs to trust the Umbrella root CA, which is the certificate authority that signs the certificates for the websites that are proxied by Umbrella. By importing the Umbrella root CA into the trusted root store on the user’s device, the browser will recognize the certificates as valid and will not alert the end-users12. References: 1: Enable SSL Decryption - Umbrella User Guide 2: Intelligent Proxy and SSL Decryption with Cisco Umbrella

Explanation

FlexVPN supports IKEv2 -> Answer A is not correct.

DMVPN supports both IKEv1 & IKEv2 -> Answer B is not correct.

FlexVPN support multiple SAs -> Answer D is not correct.

DNS tunneling is a technique that exploits the DNS protocol to tunnel malware and other data through a client-server model. DNS tunneling can be used for data exfiltration, command and control, or IP-over-DNS tunneling. DNS tunneling works by encoding the information of other protocols or programs in DNS queries and responses. An attacker registers a domain, such as badsite.com, and sets up a malicious DNS server that can interpret the encoded data. The attacker then infects a client with malware that can send and receive DNS queries to the attacker’s domain. The malware can use DNS queries to request commands from the attacker, or to send sensitive data to the attacker. The DNS queries and responses look like normal DNS traffic, but they contain hidden data that can bypass network defenses123. References := 1: What Is DNS Tunneling? - Palo Alto Networks 2: What is DNS Tunneling? - Check Point Software 3: What Is DNS Tunneling and How to Detect and Prevent Attacks