350-701 Exam Dumps - Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)

Endpoint-based security is the solution for performing signature-based application control, which is a method of identifying and blocking malicious applications based on their signatures or hashes. Signature-based application control is one of the features of endpoint security solutions, such as Cisco AMP for Endpoints1, that protect endpoints from known and unknown threats. Endpoint security solutions can also perform other functions, such as behavioral analysis, sandboxing, machine learning, and threat hunting, to provide comprehensive protection, detection, and response on the endpoint2. The other options are not scenarios where endpoint-based security is the solution. Inspecting encrypted traffic requires a network-based security solution, such as Cisco SSL Appliance3, that can decrypt and inspect the traffic for malicious content. Device profiling and authorization requires a network access control solution, such as Cisco Identity Services Engine4, that can identify and authenticate devices and users and enforce policies based on their roles and contexts. Inspecting a password-protected archive requires a file analysis solution, such as Cisco Threat Grid5, that can extract and analyze the contents of the archive for malware and indicators of compromise. References :=

Cisco AMP for Endpoints

What is Endpoint Security? How Does It Work?

Cisco SSL Appliance

Cisco Identity Services Engine

Cisco Threat Grid

Cisco Identity Services Engine (ISE) uses various probes to collect attributes of connected endpoints, such as device type, operating system, IP address, MAC address, and so on. These attributes are used to profile the endpoints and assign them to appropriate identity groups and policies. Two of the probes that can be configured to gather attributes of connected endpoints using Cisco ISE are RADIUS and DHCP.

RADIUS probe: The RADIUS probe collects attributes from the RADIUS packets that are exchanged between the network access devices (NADs) and the ISE Policy Service Nodes (PSNs) during the authentication and authorization process. The RADIUS probe can extract attributes such as username, calling-station-ID, NAS-IP-address, NAS-port-type, service-type, and so on. The RADIUS probe can also collect attributes from the RADIUS accounting packets that are sent by the NADs to the ISE PSNs after the session is established. The RADIUS probe can extract attributes such as session-ID, framed-IP-address, acct-session-time, and so on. The RADIUS probe is enabled by default and does not require any additional configuration on the NADs or the ISE PSNs.

DHCP probe: The DHCP probe collects attributes from the DHCP packets that are exchanged between the endpoints and the DHCP server during the IP address assignment process. The DHCP probe can extract attributes such as hostname, vendor-class-identifier, client-identifier, parameter-request-list, and so on. The DHCP probe can also collect attributes from the DHCP relay packets that are forwarded by the NADs to the ISE PSNs. The DHCP probe can extract attributes such as relay-agent-information and subscriber-ID. The DHCP probe requires some configuration on the NADs and the ISE PSNs. The NADs must be configured to relay or copy the DHCP packets to the ISE PSNs, and the ISE PSNs must be configured to receive the DHCP packets on a specific interface.

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_assetvisibility_endpointprofiler.html

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_00.html

Simple Custom Detection is a feature of Cisco AMP for Endpoints that allows administrators to block specific files based on their SHA-256 or MD5 hashes. This feature can be used to detect and quarantine files of unknown disposition, such as abc424400664.zip, by adding their hashes to a custom list in the AMP portal. The list can then be applied to a policy that is assigned to the endpoints. Simple Custom Detection works on files of any type, size, or platform, unlike the other options that are either platform-specific (Android Custom Detection), size-limited (Blocked Application), or signature-based (Advanced Custom Detection). References: 1, 2, 3

Explanation

Explanation

Each rule also has an action, which determines whether you monitor, trust, block, or allow matching traffic.

Note: With action “trust”, Firepower does not do any more inspection on the traffic. There will be no intrusion protection and also no file-policy on this traffic.

Explanation

To understand DHCP snooping we need to learn about DHCP spoofing attack first.

DHCP spoofing is a type of attack in that the attacker listens for DHCP Requests from clients and answers them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP Response often gives its IP address as the client default gateway -> all the traffic sent from the client will go through the attacker computer, the attacker becomes a “man-in-the-middle”.

The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the attacker is “closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the DHCP Server so that it can’t send the DHCP Response.

DHCP snooping can prevent DHCP spoofing attacks. DHCP snooping is a Cisco Catalyst feature that

determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted.

Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of DHCP

messages. All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP response is seen on an untrusted port, the port is shut down.

The port connected to a DHCP server should be configured as trusted port with the “ip dhcp snooping trust” command. Other ports connecting to hosts are untrusted ports by default.

In this question, we need to configure the uplink to “trust” (under interface Gi1/0/1) as shown below.

Certificate authorities (CAs) are responsible for issuing, renewing, revoking, and publishing digital certificates. They also maintain a certificate revocation list (CRL), which is a database of revoked certificates that can be checked by relying parties to verify the validity of a certificate. Registration authorities (RAs) are entities that assist CAs with the verification of user identities and enrollment requests. They do not issue certificates themselves, nor do they have access to the CRL. Therefore, CRL publishing is a function that is performed by CAs but is a limitation of RAs. References :=

Some possible references are:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 4: Secure Connectivity, Lesson 4.1: VPN Fundamentals, Topic 4.1.1: Public Key Infrastructure (PKI)

Easy guide to SSL certificate authorities, Namecheap

How exactly are registration authorities related to certificate authorities?, Information Security Stack Exchange

Cisco ASA NetFlow v9 Secure Event Logging (NSEL) is a security logging mechanism that is built on NetFlow Version 9 technology and provides stateful, IP flow tracking for significant events in a flow. NSEL requires a collector to receive and process the exported data records. To configure NSEL, you need to define a flow-export event type under a policy using the Modular Policy Framework (MPF). The event type specifies which events to export, such as flow-create, flow-denied, flow-teardown, flow-update, or all. You also need to configure the NSEL collectors, the template timeout intervals, and the flow-update interval. Optionally, you can disable the redundant syslog messages and reset the runtime counters.

The other statements are false because:

To view bandwidth usage for NetFlow records, the QoS feature is not required. You can use a NetFlow collector or analyzer to view the bandwidth usage and other statistics from the exported data records.

A sysopt command cannot be used to enable NSEL on a specific interface. NSEL is enabled globally on all interfaces by default when you configure a flow-export event type under a policy.

NSEL cannot be used without a collector configured. NSEL exports data records to the configured collectors using NetFlow over UDP. If no collector is configured, the data records are discarded.