Pass the Cisco CCNP Security 350-701 Questions and answers with CertsForce

 The destination command is required to complete the flow record and specify the IP address of the Stealthwatch collector that will receive the NetFlow data. The transport udp 2055 command is also needed, but it is part of the flow exporter configuration, not the flow record. The match ipv4 ttl and cache timeout active 60 commands are optional and can be used to customize the flow record, but they are not mandatory. The flow record defines the fields that are collected and exported for each flow, such as source and destination IP addresses, ports, protocols, etc. The flow exporter defines the destination, source, transport protocol, and port for sending the NetFlow data. The flow monitor binds the flow record and the flow exporter together and applies them to an interface. The following is an example of a complete NetFlow configuration for sending data to Stealthwatch:

flow exporter EXPORTER description Export NetFlow to Stealthwatch destination 1.1.1.1 export-protocol netflow-v9 source Vlan100 transport udp 2055 ! flow record RECORD description NetFlow record match datalink mac source address input match datalink mac destination address input match datalink vlan input match ipv4 ttl match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input collect interface output collect counter bytes long collect counter packets long collect timestamp absolute first collect timestamp absolute last ! flow monitor IPv4_NETFLOW record RECORD exporter EXPORTER cache timeout active 60 ! interface <> ip flow monitor IPv4_NETFLOW input ! References : Configuring and Troubleshooting NetFlow for Stealthwatch, Cisco NetFlow Configuration, Building a Better Monitoring Solution with Flexible Netflow

Explanation

The term ‘rootkit’ originally comes from the Unix world, where the word ‘root’ is used to describe a user with the

highest possible level of access privileges, similar to an ‘Administrator’ in Windows. The word ‘kit’ refers to the

software that grants root-level access to the machine. Put the two together and you get ‘rootkit’, a program that

gives someone – with legitimate or malicious intentions – privileged access to a computer.

There are four main types of rootkits: Kernel rootkits, User mode rootkits, Bootloader rootkits, Memory rootkits

Explanation

The following are restrictions for Flexible NetFlow:

+ Traditional NetFlow (TNF) accounting is not supported.

+ Flexible NetFlow v5 export format is not supported, only NetFlow v9 export format is supported.

+ Both ingress and egress NetFlow accounting is supported.

+ Microflow policing feature shares the NetFlow hardware resource with FNF.

+ Only one flow monitor per interface and per direction is supported.

Explanation

SNMP polling can often be in the order of 5-10 minutes, CLIs are unstructured and prone to change which can often break scripts.

The traditional use of the pull model, where the client requests data from the network does not scale when what you want is near real-time data.

Moreover, in some use cases, there is the need to be notified only when some data changes, like interfaces status, protocol neighbors change etc.

Model-Driven Telemetry is a new approach for network monitoring in which data is streamed from network devices continuously using a push model and provides near real-time access to operational statistics. Referfence: https://developer.cisco.com/docs/ios-xe/#!streaming-telemetry-quick-start-guide/streaming telemetry

Explanation

Explanation

When Umbrella receives a DNS request, it uses intelligence to determine if the request is safe, malicious or risky — meaning the domain contains both malicious and legitimate content. Safe and malicious requests are routed as usual or blocked, respectively. Risky requests are routed to our cloud-based proxy for deeper inspection. The Umbrella proxy uses Cisco Talos web reputation and other third-party feeds to determine if a URL is malicious.

NetFlow is a baseline form of telemetry that is recommended for network infrastructure devices. NetFlow is a technology that collects and exports information about IP traffic flows on enabled interfaces. NetFlow can provide valuable insight into the network performance, utilization, behavior, and security. NetFlow can help identify anomalies, such as DDoS attacks, malware, or misconfigurations, by comparing the current traffic patterns with the normal or baseline ones. NetFlow can also help with capacity planning, troubleshooting, and forensic analysis. NetFlow is supported on various Cisco platforms, such as routers, switches, firewalls, and IPS sensors. NetFlow can export data to different collectors and analyzers, such as Cisco Security Monitoring, Analysis and Response System (CS-MARS), Cisco Traffic Anomaly Detectors and Cisco Guard DDoS Mitigation Appliances, Cisco Network Analysis Module (NAM), and other third-party tools. References:

Explanation

Explanation

A teardrop attack is a denial-of-service (DoS) attack that involves sending fragmented packets to a target

machine. Since the machine receiving such packets cannot reassemble them due to a bug in TCP/IP

fragmentation reassembly, the packets overlap one another, crashing the target network device. This generally happens on older operating systems such as Windows 3.1x, Windows 95, Windows NT and versions of the Linux kernel prior to 2.1.63.

 EPP solutions solely focus on the perimeter of the network, which is the boundary between the internal and external networks. The perimeter is where most of the endpoints, such as laptops, desktops, mobile devices, and IoT devices, are located and connected to the network. EPP solutions aim to prevent, detect, and remediate security threats on these endpoints by using technologies such as antivirus, data encryption, and data loss prevention. EPP solutions rely on signatures and other indicators of intrusion by known threats to block malicious activity and malware on the endpoints12.

EDR solutions do not focus on the perimeter, but rather on the entire network, including the core and the East-West gateways. The core is the central part of the network that connects different segments and provides high-speed data transmission. The East-West gateways are the points of communication between different segments within the network, such as between different data centers or cloud environments. EDR solutions provide continuous and comprehensive visibility into endpoint activities across the network by using threat hunting tools for behavior-based endpoint threat detection. EDR solutions monitor and record endpoint data, detect anomalies and malicious behavior, and respond to threats that EPP and other security tools did not catch. EDR solutions also enable security teams to proactively investigate and contain incidents by using incident data search, alert triage, threat validation, and malicious activity blocking134.

References := 1: EPP vs. EDR: Why You Need Both - CrowdStrike 2: Comparing endpoint security: EPP vs. EDR vs. XDR | Infosec 3: EDR vs EPP: What is the Difference? - Exabeam 4: EDR vs EPP: Key Features, Differences, and How They Work Together

Explanation

With Cisco pxGrid (Platform Exchange Grid), your multiple security products can now share data and work together. This open, scalable, and IETF standards-driven platform helps you automate security to get answers and contain threats faster.

Defanging is the process of modifying a URL in a message to prevent it from being clickable. This can help protect users from malicious links that have a low URL reputation score. Defanging is one of the actions that can be configured in the Incoming Content Filter on the Cisco ESA. The other actions are Quarantine, FilterAction, and ScreenAction. Quarantine sends the message to a quarantine area for further inspection. FilterAction applies a predefined action such as drop, bounce, or deliver. ScreenAction displays a warning message to the user before allowing them to access the URL. Defanging is the only action that disables the links in the message without affecting the delivery or visibility of the message12. References: 1: URL Filtering on the Cisco IronPort ESA – Mikail’s Blog 2: Configure URL Filtering for Secure Email Gateway and Cloud Gateway - Cisco

DMVPN and sVTI are both VPN technologies that use IPsec to secure the tunnel traffic. However, they differ in how they establish and manage the tunnels. DMVPN supports dynamic tunnel establishment, which means that the VPN endpoints can create and delete tunnels on demand, based on the routing information. This allows for a scalable and flexible VPN topology, where the endpoints can communicate directly with each other without going through a central hub. sVTI, on the other hand, supports static tunnel establishment, which means that the VPN endpoints have to manually configure the tunnel source and destination addresses. This requires a one-to-one mapping between the endpoints, and limits the VPN topology to a hub-and-spoke model, where the endpoints can only communicate with the hub. Therefore, DMVPN is more suitable for large and dynamic VPN networks, while sVTI is more suitable for small and stable VPN networks. References:

[Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0], Module 5: Secure Connectivity, Lesson 5.2: Implementing Site-to-Site VPNs, Topic 5.2.3: Dynamic Multipoint VPN (DMVPN)

what is difference between svti and DVTI? - Cisco Community

 The Cisco Umbrella package that supports selective proxy for inspection of traffic from risky domains is SIG Advantage. SIG stands for Secure Internet Gateway, and it is a cloud-based service that provides comprehensive web security and threat intelligence. SIG Advantage includes all the features of DNS Security Advantage, such as DNS-layer protection, intelligent proxy, and cloud-delivered firewall, plus additional features such as full proxy, SSL decryption, advanced malware protection, and data loss prevention. Selective proxy is a feature that allows Umbrella to route risky domain requests to a proxy for deeper URL and file inspection, without impacting the performance or latency of legitimate traffic. Selective proxy is based on the reputation of the domains, which are classified into three categories: good, bad, and grey. Good domains are allowed without proxying, bad domains are blocked at the DNS layer, and grey domains are proxied for further inspection. Selective proxy is available in both DNS Security Advantage and SIG Advantage packages, but only SIG Advantage offers full proxy for all web traffic, which provides more granular control and visibility over web transactions and file types. References:

Cisco Umbrella Packages

Why Umbrella DNS Security?

Manage the Intelligent Proxy

Cisco Umbrella - Selected Proxy versus Full Proxy