350-701 Exam Dumps - Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)

SSL decryption allows the intelligent proxy to inspect traffic over HTTPS. Some websites may use self-signed certificates or certificates that are not trusted by the user’s device. This may cause the browser to display a warning or an error message when accessing those websites through the intelligent proxy. To avoid this, the user’s device needs to trust the Umbrella root CA, which is the certificate authority that signs the certificates for the websites that are proxied by Umbrella. By importing the Umbrella root CA into the trusted root store on the user’s device, the browser will recognize the certificates as valid and will not alert the end-users12. References: 1: Enable SSL Decryption - Umbrella User Guide 2: Intelligent Proxy and SSL Decryption with Cisco Umbrella

Explanation

What Cisco DNA Center enables you to do

Automate: Save time by using a single dashboard to manage and automate your network. Quickly scale your business with intuitive workflows and reusable templates. Configure and provision thousands of network devices across your enterprise in minutes, not hours.

Secure policy: Deploy group-based secure access and network segmentation based on business needs. With Cisco DNA Center, you apply policy to users and applications instead of to your network devices. Automation reduces manual operations and the costs associated with human errors, resulting in more uptime and improved security. Assurance then assesses the network and uses context to turn data into intelligence, making sure that changes in the network device policies achieve your intent.

Assurance: Monitor, identify, and react in real time to changing network and wireless conditions. Cisco DNA Center uses your network’s wired and wireless devices to create sensors everywhere, providing real-time feedback based on actual network conditions. The Cisco DNA Assurance engine correlates network sensor insights with streaming telemetry and compares this with the current context of these data sources. With a quick check of the health scores on the Cisco DNA Center dashboard, you can see where there is a performance issue and identify the most likely cause in minutes.

Extend ecosystem: With the new Cisco DNA Center platform, IT can now integrate Cisco® solutions and thirdparty technologies into a single network operation for streamlining IT workflows and increasing business value and innovation. Cisco DNA Center allows you to run the network with open interfaces with IT and business applications, integrates across IT operations and technology domains, and can manage heterogeneous network devices.

Explanation

Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data. Zero Trust assumes that there is no traditional network edge; networks can be local, in the cloud, or a combination or hybrid with resources anywhere as well as workers in any location.

The Zero Trust model uses microsegmentation — a security technique that involves dividing perimeters into small zones to maintain separate access to every part of the network — to contain attacks.

 The Cisco WSA supports mainly two authentication protocols: LDAP and NTLM. LDAP is a standard protocol for accessing directory services, such as Active Directory or OpenLDAP. NTLM is a proprietary protocol for authenticating Windows clients to Windows servers. NTLM has two versions: NTLMv1 and NTLMv2. NTLMSSP (NT LAN Manager Security Support Provider) is a variant of NTLMv2 that provides additional security features, such as message integrity and confidentiality. The Cisco WSA supports both LDAP and NTLMSSP using basic authentication, which requires the user to enter a username and password. The Cisco WSA also supports Kerberos, which is a network authentication protocol that uses tickets to authenticate users and services. Kerberos is based on symmetric-key cryptography and requires a trusted third party, called the Key Distribution Center (KDC), to issue and validate tickets. Kerberos is more secure and efficient than NTLM, as it does not require the user to enter credentials repeatedly and does not send passwords over the network. The Cisco WSA supports Kerberos only in standard mode, not in cloud connector mode. The Cisco WSA does not support TACACS+ or CHAP as authentication protocols. TACACS+ is a Cisco proprietary protocol for authenticating network devices and users to a central server. CHAP is a challenge-response protocol for authenticating PPP connections. These protocols are not designed for web security appliances and are not compatible with the Cisco WSA. References:

User Guide for AsyncOS 11.0 for Cisco Web Security Appliances (Section: Acquire End-User Credentials)

Cisco WSA Authentication

WSA Authentication

 Transparent mode is a Cisco ASA deployment model that allows the ASA to act as a bump in the wire, or a stealth firewall. In this mode, the ASA does not have an IP address on the network, and it does not participate in routing. Instead, it filters traffic between hosts in the same IP subnet using higher-level protocols such as TCP, UDP, and ICMP. Transparent mode is useful when you want to apply security policies without readdressing the network or changing the default gateway of the hosts. Some of the benefits of transparent mode are:

It preserves the original source and destination IP addresses of the packets, which can be useful for logging and auditing purposes.

It simplifies the configuration of the ASA, as you do not need to configure routing protocols, NAT, or DHCP.

It allows the ASA to inspect non-IP traffic, such as ARP, STP, and CDP.

It supports multiple contexts, which can provide logical separation of traffic for different tenants or customers.

Some of the limitations of transparent mode are:

It does not support VPN, dynamic routing, multicast routing, or QoS.

It requires the use of EtherType ACLs to filter non-IP traffic, which can be complex and cumbersome.

It requires the use of bridge groups and bridge domains to define the interfaces and VLANs that belong to the same broadcast domain.

It requires the use of MAC address learning and aging to maintain a MAC address table for each bridge group.

References :=

Some possible references are:

Cisco ASA Series Firewall CLI Configuration Guide, 9.10 - Transparent Firewall Mode

Deploying ASA - Cisco

Cisco ASA 5500-X Series Firewalls - Configuration Guides - Cisco

Multifactor authentication (MFA) is a security measure that requires two or more proofs of identity to grant access to a resource, such as a username and password, a one-time code, a smart card, etc.1 MFA provides stronger protection than single-factor authentication (SFA), which only requires one proof of identity, such as a password. SFA can be compromised more easily by attackers who can guess, steal, or intercept passwords, or use phishing or social engineering techniques to trick users into revealing their credentials. MFA adds an extra layer of security that makes it harder for attackers to gain access, even if they have the password. MFA can also prevent unauthorized access from lost or stolen devices, as the attacker would need another factor to authenticate. MFA can also deter attackers from targeting an organization, as they would need to invest more time and resources to bypass the security measures. Therefore, organizations should migrate to a multifactor authentication strategy to enhance their security posture and protect their data and assets. References := 1: What is Multi-Factor Authentication (MFA)? - Auth0

Northbound and southbound APIs are two types of interfaces that enable communication between different layers of the SDN architecture. Northbound APIs relay information between the controller and the applications or policy engines, while southbound APIs relay information between the controller and the network devices.

Northbound APIs allow applications to request network services or resources from the controller, such as bandwidth, latency, security, or routing. The controller then translates these requests into network configurations and applies them to the network devices via the southbound APIs. Northbound APIs typically use RESTful API methods such as GET, POST, and DELETE to communicate with the controller.

Southbound APIs allow the controller to program the network devices to perform forwarding and other functions. The controller can use different protocols or standards to communicate with the network devices, depending on their capabilities and vendor-specific features. Some common examples of southbound APIs are CLI, SNMP, RESTCONF, NETCONF, OpenFlow, and OpFlex.

Active Directory (AD) is an ID store that requires that a shadow user be created on Cisco ISE for the admin login to work. A shadow user is a user account that is defined in the ISE internal database, but has the password set to external. This means that the user authentication is performed against an external identity source, such as AD, while the user authorization is based on the ISE admin group membership. A shadow user is useful when the admin wants to assign different roles or permissions to specific AD users, rather than using AD groups. To create a shadow user, the admin must check the External checkbox in the ISE admin user configuration, and make sure that the username matches the AD username. The shadow user must also be assigned to an ISE admin group that has the Type set to External123. References := 1: ISE Admin User Shadow AD Account Issue 2: ISE Admin user authentication from AD 3: Which ID store requires that a shadow user be created on Cisco ISE for the admin login to work?