350-701 Exam Dumps - Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)

accomplish the task is to install and configure the Cisco DUO Authentication Proxy and configure the identity source sequence within Cisco ISE. This will allow the engineer to integrate Cisco ISE with Cisco DUO for TACACS+ device administration using Active Directory as the primary authentication source and Cisco DUO as the secondary authentication source for multi-factor authentication (MFA). The steps to configure this solution are as follows12:

Install and configure the Cisco DUO Authentication Proxy on a Windows or Linux machine. The proxy will act as a RADIUS server that communicates with Cisco ISE and a RADIUS client that communicates with Cisco DUO cloud. The proxy will also connect to Active Directory for the primary authentication of the users.

Configure the proxy by editing the authproxy.cfg file. The file should include the following sections:

[ad_client]: This section defines the connection parameters to Active Directory, such as the host, service_account_username, service_account_password, and search_dn.

[radius_server_auto]: This section defines the RADIUS server parameters for the proxy, such as the ikey, skey, api_host, radius_ip_1, radius_secret_1, and client parameters. The ikey, skey, and api_host are obtained from the Cisco DUO web portal when creating a RADIUS application. The radius_ip_1 and radius_secret_1 are the IP address and shared secret of the Cisco ISE node that will send authentication requests to the proxy. The client parameter specifies the authentication method for Cisco DUO, such as auto, push, phone, or passcode.

[main]: This section defines the global settings for the proxy, such as the debug, log_max_size, and log_max_files parameters.

Restart the proxy service after saving the authproxy.cfg file.

Configure Cisco ISE as a TACACS+ server and add the proxy as an external RADIUS server. The steps are as follows:

Navigate to Administration > System > Deployment and enable the Device Administration Service on the appropriate node.

Navigate to Work Centers > Device Administration > Network Resources and add the network devices that will use TACACS+ for device administration. Specify the device name, IP address, device type, and shared secret.

Navigate to Work Centers > Device Administration > Network Access and add the proxy as an external RADIUS server. Specify the server name, IP address, port, shared secret, and timeout. Optionally, enable the Continue for additional authorization policy option to allow Cisco ISE to perform authorization based on the user’s Active Directory attributes after successful authentication by Cisco DUO.

Navigate to Work Centers > Device Administration > Policy Elements > Results > TACACS Profiles and create a TACACS profile for device administration. Specify the profile name, type, and custom attributes, such as the shell:roles and shell:priv-lvl attributes.

Navigate to Work Centers > Device Administration > Policy Sets and create a policy set for device administration. Specify the policy set name, conditions, and results. The conditions can be based on the device type, the protocol, or the identity source sequence. The results can be the TACACS profile and the external RADIUS server (the proxy).

Configure the network devices to use TACACS+ for device administration and specify Cisco ISE as the TACACS+ server and the proxy as the RADIUS server. The configuration commands may vary depending on the device type and model, but the general syntax is as follows:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

tacacs server ISE

address ipv4

key

radius server DUO

address ipv4 auth-port

key

Test the solution by logging into the network devices using Active Directory credentials. The user should receive a Cisco DUO prompt for the second factor authentication, such as a push notification, a phone call, or a passcode. After approving the second factor authentication, the user should be granted access to the device with the appropriate privileges based on the TACACS profile and the Active Directory attributes.

References := 1: Duo MFA Integration with ISE for TACACS+ Device Administration with Microsoft Active Directory Users - Cisco Community 2: Protecting Access to Network devices with ISE TACACS+ and DUO MFA - Cisco Community

 The Decrypt for Application Detection feature within the WSA Decryption options enhances the ability of AsyncOS to detect HTTPS applications. The HTTPS Proxy can decrypt HTTPS connections to web applications. This allows the Application Visibility and Control (AVC) engine to more accurately detect and block web applications that use HTTPS. This feature can help improve the security and performance of the network by identifying and controlling the usage of web applications that may consume bandwidth, pose security risks, or violate compliance policies.

Cisco Stealthwatch Cloud is a network detection and response (NDR) solution that leverages pre-existing infrastructure to offer enterprise-wide, contextual visibility of network traffic from the private network to the public cloud1. It uses advanced analytics and machine learning to detect threats and anomalies across on-premises and cloud environments, and provides actionable alerts and recommendations to remediate them2. Cisco Stealthwatch Cloud is part of Cisco’s XDR strategy, which converges its deep expertise and visibility across the network and endpoints into one turnkey, risk-based solution3. References: 3: Cisco Unveils New Solution to Rapidly Detect Advanced Cyber Threats and Automate Response 2: Cisco Secure Network Analytics - Cisco 1: Cisco Stealthwatch and Cisco Tetration Workload Security

Mobile device management (MDM) is a toolset that provides a workforce with mobile productivity tools and applications while keeping corporate data secure1. One of the essential capabilities of an MDM solution is the unified management of mobile devices, Macs, and PCs from a centralized dashboard2. This allows IT and security departments to manage all of a company’s devices, regardless of their operating system, and perform tasks such as provisioning, configuration, update, lock, wipe, and troubleshoot2. Another important capability of an MDM solution is the enforcement of device security policies from a centralized dashboard3. This enables IT and security departments to protect the device’s applications, data, and content, and ensure compliance with organizational and regulatory standards3. For example, an MDM solution can set minimum password strength, encrypt data, restrict access, and detect threats3.

 1: What is Mobile Device Management (MDM)? | IBM 2: 5 Essential Capabilities of an MDM Solution | Macworld 3: What is device management? | Microsoft Learn

When a Cisco WSA receives a web request, it evaluates it against the policies in the policy table. Each policy type has a predefined, global policy, which maintains default actions for that policy type. If the web request does not match any user-defined policy, the WSA applies the global policy. The global policy can be configured to allow, block, or redirect the web request based on various criteria. The global policy acts as a catch-all policy for any web request that is not explicitly handled by a user-defined policy. References :=

User Guide for AsyncOS 11.0 for Cisco Web Security Appliances - Create Policies to Control Internet Requests

User Guide for AsyncOS 12.7 for Cisco Web Security Appliances - LD (Limited Deployment) - Acquire End-User Credentials

Cisco Umbrella allows you to create custom destination lists that contain specific domains or IP addresses that you want to allow or block. You can then apply these destination lists to your policies to override the default behavior of Umbrella. For example, if you want to block specific addresses using Cisco Umbrella, you can create a destination list with those addresses and set the action to block. Then, you can assign this destination list to the policy that you want to modify. This way, any request to those addresses will be blocked by Umbrella, regardless of the content category or application settings12 References := 1: Manage Policies - Umbrella User Guide 2: Understanding Destination lists supported entries and error messages - Cisco Umbrella

Cisco Identity Services Engine (ISE) is a product that provides comprehensive and scalable access policy enforcement for wired and wireless networks. ISE supports TACACS+ for device administration, which allows for granular control over the commands and actions that network administrators can perform on network devices. ISE also supports 802.1X, MAB, and WebAuth for network access, which enables authentication and authorization of users and endpoints based on various attributes, such as identity, device type, posture, location, and time. ISE can also integrate with other Cisco security products, such as Cisco Stealthwatch and Cisco AMP for Endpoints, to provide enhanced visibility and threat detection. Therefore, ISE is the product that meets all of the requirements stated in the question. References :=

Some possible references are:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 4: Secure Network Access, Identity Management, and Secure Access

TACACS+ Configuration Guide, Configuring TACACS

Cisco Identity Services Engine Administrator Guide, Release 2.7, Device Administration

Cisco Identity Services Engine Administrator Guide, Release 2.7, Network Access Devices

Cisco Identity Services Engine Administrator Guide, Release 2.7, Policy Sets

Cisco Stealthwatch is a network security and visibility platform that provides an agentless solution to monitor network traffic and detect threats, including those in encrypted traffic. Stealthwatch uses Encrypted Traffic Analytics (ETA), a technology that leverages network telemetry and machine learning to identify malicious patterns and behaviors in encrypted traffic without decryption. ETA can also assess the cryptographic strength and compliance of the encryption protocols used in the network. Stealthwatch integrates with other Cisco security products, such as Cisco Identity Services Engine (ISE) and Cisco Advanced Malware Protection (AMP), to provide contextual information and threat intelligence for faster and more effective response. Stealthwatch is the only Cisco platform that offers ETA as a solution to provide visibility across the network, including encrypted traffic analytics, to detect malware in encrypted traffic without the need for decryption. References :=

Some possible references are:

Cisco Secure Network Analytics (Stealthwatch) - Cisco, Cisco

Encrypted Traffic Analytics > Security | Cisco Press, Cisco Press

Solutions - Encrypted Traffic Analytics with the New Cisco Network and Secure Network Analytics At-a-Glance - Cisco, Cisco

Cisco Encrypted Traffic Analytics White Paper, Cisco