Pass the Cisco CCNP Security 350-701 Questions and answers with ValidTests

Dynamic ARP Inspection (DAI) is a security feature that validates ARP packets on untrusted interfaces by comparing the MAC address to IP address bindings in the DHCP snooping database or an ARP access-list. If the ARP packet contains invalid or spoofed information, it is dropped and logged. DAI also inspects ARP packets on trusted interfaces, but it does not drop them if they are invalid. Instead, it forwards them to the destination without validation. This allows the switch to support devices that use static IP addresses or have legitimate reasons to send ARP packets with different MAC address to IP address bindings. However, this also means that if a spoofed ARP packet is received on a trusted interface, it will bypass the DAI validation and be forwarded to the destination. This could allow an attacker to poison the ARP cache of other devices and perform a man-in-the-middle attack. Therefore, the correct answer is option B. The switch drops the packet after validation by using the IP & MAC Binding Table. References:

Understanding and Configuring Dynamic ARP Inspection

DAI (Dynamic ARP Inspection)

Dynamic ARP Inspection (DAI) Explanation & Configuration

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0

One of the key capabilities of endpoint security is to prevent phishing attacks by ensuring that antivirus and anti malware software is up to date. This helps to detect and block malicious attachments or links that may be embedded in phishing emails. Antivirus and anti malware software can also scan the endpoint for any signs of compromise or infection that may have resulted from a successful phishing attack. Additionally, endpoint security can provide data loss prevention (DLP) features that can prevent sensitive data from being exfiltrated by attackers who have gained access to the endpoint through phishing. References :=

Some possible references are:

Endpoint Security and Phishing: What to Know

Protect Against Spear Phishing with Endpoint Security

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 (source book)

accomplish the task is to install and configure the Cisco DUO Authentication Proxy and configure the identity source sequence within Cisco ISE. This will allow the engineer to integrate Cisco ISE with Cisco DUO for TACACS+ device administration using Active Directory as the primary authentication source and Cisco DUO as the secondary authentication source for multi-factor authentication (MFA). The steps to configure this solution are as follows12:

Install and configure the Cisco DUO Authentication Proxy on a Windows or Linux machine. The proxy will act as a RADIUS server that communicates with Cisco ISE and a RADIUS client that communicates with Cisco DUO cloud. The proxy will also connect to Active Directory for the primary authentication of the users.

Configure the proxy by editing the authproxy.cfg file. The file should include the following sections:

[ad_client]: This section defines the connection parameters to Active Directory, such as the host, service_account_username, service_account_password, and search_dn.

[radius_server_auto]: This section defines the RADIUS server parameters for the proxy, such as the ikey, skey, api_host, radius_ip_1, radius_secret_1, and client parameters. The ikey, skey, and api_host are obtained from the Cisco DUO web portal when creating a RADIUS application. The radius_ip_1 and radius_secret_1 are the IP address and shared secret of the Cisco ISE node that will send authentication requests to the proxy. The client parameter specifies the authentication method for Cisco DUO, such as auto, push, phone, or passcode.

[main]: This section defines the global settings for the proxy, such as the debug, log_max_size, and log_max_files parameters.

Restart the proxy service after saving the authproxy.cfg file.

Configure Cisco ISE as a TACACS+ server and add the proxy as an external RADIUS server. The steps are as follows:

Navigate to Administration > System > Deployment and enable the Device Administration Service on the appropriate node.

Navigate to Work Centers > Device Administration > Network Resources and add the network devices that will use TACACS+ for device administration. Specify the device name, IP address, device type, and shared secret.

Navigate to Work Centers > Device Administration > Network Access and add the proxy as an external RADIUS server. Specify the server name, IP address, port, shared secret, and timeout. Optionally, enable the Continue for additional authorization policy option to allow Cisco ISE to perform authorization based on the user’s Active Directory attributes after successful authentication by Cisco DUO.

Navigate to Work Centers > Device Administration > Policy Elements > Results > TACACS Profiles and create a TACACS profile for device administration. Specify the profile name, type, and custom attributes, such as the shell:roles and shell:priv-lvl attributes.

Navigate to Work Centers > Device Administration > Policy Sets and create a policy set for device administration. Specify the policy set name, conditions, and results. The conditions can be based on the device type, the protocol, or the identity source sequence. The results can be the TACACS profile and the external RADIUS server (the proxy).

Configure the network devices to use TACACS+ for device administration and specify Cisco ISE as the TACACS+ server and the proxy as the RADIUS server. The configuration commands may vary depending on the device type and model, but the general syntax is as follows:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

tacacs server ISE

address ipv4

key

radius server DUO

address ipv4 auth-port

key

Test the solution by logging into the network devices using Active Directory credentials. The user should receive a Cisco DUO prompt for the second factor authentication, such as a push notification, a phone call, or a passcode. After approving the second factor authentication, the user should be granted access to the device with the appropriate privileges based on the TACACS profile and the Active Directory attributes.

References := 1: Duo MFA Integration with ISE for TACACS+ Device Administration with Microsoft Active Directory Users - Cisco Community 2: Protecting Access to Network devices with ISE TACACS+ and DUO MFA - Cisco Community

 The RADIUS CoA feature supports the IETF attribute 24 State, which is used to identify the session for which the CoA request is intended. The State attribute is sent by the device in the Access-Accept message and must be echoed back by the RADIUS server in the CoA-Request message. The other attributes are not supported for the RADIUS CoA feature.

To understand the concept of RADIUS CoA and the supported attributes, you can refer to the following sections of the source book:

Section 1.1.2: Describe the concepts of network security

Section 1.1.2.6: Describe the concepts of RADIUS CoA

Section 1.1.2.7: Describe the concepts of supported IETF attributes

In a remote access VPN configuration, dynamic split tunneling allows traffic to certain trusted domains to bypass the VPN tunnel and exit through the client's local internet gateway. This feature selectively directs only the necessary traffic over the VPN, while allowing direct internet access for specific domains or traffic deemed safe or trusted, optimizing bandwidth and performance for remote users.

Wired 802.1X authentication is a port-based network access control that uses the physical characteristics of the switched LAN infrastructure to authenticate devices attached to a LAN port1. Wired 802.1X authentication requires three components: a supplicant, an authenticator, and an authentication server2. The supplicant is the client device that requests access to the network. The authenticator is the switch port that controls the access to the network based on the authentication result. The authentication server is the server that validates the credentials of the supplicant and sends the authentication result to the authenticator3.

In this question, option A is correct because Cisco Identity Service Engine (ISE) is an example of an authentication server that supports wired 802.1X authentication4. Option C is correct because Cisco Catalyst switch is an example of an authenticator that supports wired 802.1X authentication5. Option B is incorrect because Cisco AnyConnect ISE Posture module is not a supplicant, but a software component that checks the compliance status of the supplicant. Option D is incorrect because Cisco ISE is not an authenticator, but an authentication server. Option E is incorrect because Cisco Prime Infrastructure is not an authentication server, but a network management tool.

 1: Wired 802.1X Deployment Guide - Cisco 2: 802.1X Authenticated Wired Access Overview | Microsoft Learn 3: About 802.1X Authentication - Aruba 4: Cisco Identity Services Engine - Products & Services - Cisco 5: Cisco Catalyst 2960-X Series Switches - Products & Services - Cisco : Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.9 - Configure Posture [Cisco AnyConnect Secure Mobility Client] - Cisco : Cisco Prime Infrastructure - Products & Services - Cisco

 Platform as a Service (PaaS) is a cloud service model that delivers and manages all the hardware and software resources to develop applications through the cloud. The service provider is responsible for the infrastructure, middleware, runtime, and operating system, while the customer only has to focus on the application and data. PaaS enables the customer to avoid the hassle of patching, updating, or maintaining the operating system, as well as the underlying hardware and network12. Infrastructure as a Service (IaaS) is a cloud service model that delivers on-demand infrastructure resources, such as compute, storage, networking, and virtualization, to the customer via the cloud. The service provider hosts and manages the infrastructure, but the customer is responsible for the operating system, middleware, virtual machines, and any apps or data. IaaS requires the customer to handle the patch management of the operating system, as well as the security and configuration of the virtual machines34. References := 1: Use platform as a service (PaaS) options - Azure Architecture Center 2: What is Platform-as-a-Service (PaaS)? - Cloudflare 3: PaaS vs IaaS vs SaaS: What’s the difference? | Google Cloud 4: SaaS vs PaaS vs IaaS: What’s The Difference & How To Choose – BMC Software | Blogs

The debug crypto isakmp sa command shows the status of the Internet Security Association and Key Management Protocol (ISAKMP) security associations (SAs). The output of this command indicates that the ISAKMP negotiation failed after several retransmissions. The most likely cause of this failure is a mismatch in the authentication key between the two peers. The authentication key is specified by the crypto isakmp key command and must be the same on both routers. If the authentication key is different, the ISAKMP messages cannot be decrypted and verified by the peers, resulting in an error. To fix this problem, the network administrator should verify and correct the authentication key on both routers and clear the existing ISAKMP SAs with the clear crypto isakmp sa command. References: 1, 2, 3, 4

SSL decryption allows the intelligent proxy to inspect traffic over HTTPS. Some websites may use self-signed certificates or certificates that are not trusted by the user’s device. This may cause the browser to display a warning or an error message when accessing those websites through the intelligent proxy. To avoid this, the user’s device needs to trust the Umbrella root CA, which is the certificate authority that signs the certificates for the websites that are proxied by Umbrella. By importing the Umbrella root CA into the trusted root store on the user’s device, the browser will recognize the certificates as valid and will not alert the end-users12. References: 1: Enable SSL Decryption - Umbrella User Guide 2: Intelligent Proxy and SSL Decryption with Cisco Umbrella

 TAXII, short for Trusted Automated eXchange of Intelligence Information, is a protocol that defines how cyber threat information can be shared via services and message exchanges. It is designed specifically to support STIX information, which is a standardized language for expressing and exchanging cyber threat information. TAXII enables organizations to share STIX information by defining an API that aligns with common sharing models, such as hub and spoke, source/subscriber, and peer-to-peer. TAXII also defines four services that allow users to discover, manage, receive, and request STIX information. Therefore, TAXII supports STIX information and determines how threat intelligence information is relayed. TAXII does not determine the “what” of threat intelligence, as that is the role of STIX. TAXII does not allow users to describe threat motivations and abilities, as that is also part of STIX. TAXII does not exchange trusted anomaly intelligence information, as that is a specific type of threat intelligence that may or may not be represented in STIX. References:

What are STIX/TAXII Standards I Resources I Anomali

Cyber Threat Intelligence Technical Committee - GitHub Pages

MAB is a fallback mechanism for IEEE 802.1X that allows network access based on the MAC address of the endpoint. However, MAB does not prevent MAC address spoofing, which is a technique used by attackers to impersonate authorized devices and bypass authentication. To mitigate this risk, two catalyst switch security features can be used in conjunction with MAB: 802.1AE MacSec and port security.

802.1AE MacSec is a standard that provides encryption and integrity protection for data frames between two MACsec-capable devices. MacSec also uses a secure key exchange protocol called MKA (MACsec Key Agreement) to establish and maintain cryptographic keys between the peers. By enabling MacSec on the switch ports, the switch can verify the identity and authenticity of the endpoints and prevent unauthorized access or tampering with the data frames.

Port security is a feature that allows the switch to limit the number and type of MAC addresses that can access a port. Port security can be configured to allow only a specific MAC address or a maximum number of MAC addresses per port. Port security can also be configured to take an action when a violation occurs, such as shutting down the port, sending a trap, or dropping packets. By enabling port security on the switch ports, the switch can prevent multiple devices from accessing the same port or deny access to devices with spoofed MAC addresses.

A PAC file, or proxy auto-configuration file, is a script that tells the web browser how to use a proxy server for different URLs. A PAC file can be hosted on a web server or on the WSA itself, and can be deployed to the client web browser manually or automatically. A WSA HTTP proxy configuration with a PAC file is defined as an explicit proxy deployment, because the client web browser is aware of the proxy and sends requests to it directly. This is different from a transparent proxy deployment, where the client web browser is unaware of the proxy and the requests are redirected to it by a network device such as a router or a firewall. A bridge proxy deployment is a type of transparent proxy deployment where the WSA acts as a layer 2 bridge between two network segments and intercepts the traffic passing through it. A PAC file is not used in a bridge proxy deployment. In a dual-NIC configuration, the WSA has two network interfaces, one for the client-side network and one for the server-side network. The PAC file does not direct traffic through the two NICs to the proxy, but rather tells the client web browser to send requests to the proxy’s IP address and port number. The WSA then forwards the requests to the server-side network through the other NIC. Therefore, option B is incorrect. References :=

Some possible references are:

1: What is a Proxy Pac file and are there any examples? - Cisco

2: What is a PAC file and where is it located on WSA? - Cisco

3: [WSA Training Series] How to configure the HTTPS Proxy on the Cisco Web Security Appliance

4: Proxy Auto-Configuration (PAC) file

5: Use proxy auto-configuration (.pac) files with IEAK 11

Workload security models refer to the ways of protecting applications, services, and capabilities that run on a cloud resource. There are different types of cloud deployment models, such as public, private, hybrid, and multicloud, and different types of cloud service models, such as IaaS, PaaS, and SaaS. However, these are not workload security models, but rather ways of describing the cloud environment and the level of abstraction. Workload security models are more focused on the location and ownership of the workloads, and how they are secured. The two main workload security models are off-premises and on-premises. Off-premises workload security model means that the workloads are hosted and managed by a third-party cloud service provider, such as AWS, Azure, or GCP. The cloud service provider is responsible for the security of the underlying infrastructure, such as the physical servers, network devices, storage systems, and hypervisors. The customer is responsible for the security of the workloads themselves, such as the guest operating systems, applications, data, and users. The customer can use various tools and techniques to secure their workloads, such as encryption, firewalls, identity and access management, vulnerability scanning, and logging and monitoring. On-premises workload security model means that the workloads are hosted and managed by the customer on their own data center or private cloud. The customer is responsible for the security of both the infrastructure and the workloads, and has full control and visibility over them. The customer can use similar tools and techniques as the off-premises model, but also has to deal with the physical security, network security, and compliance requirements of their own environment. References:

What Is Workload Security? On-Premises, Cloud, Kubernetes, and More

What is Cloud Workload Security? - CyberArk

What is Cloud Workload Protection? | Workload Security | VMware

What is Cloud Workload Security? - Check Point Software

Introduction To Classic Security Models - GeeksforGeeks