Pass the Cisco CCNP Security 350-701 Questions and answers with ValidTests

The switch port MAC address security setting that must be used is sticky. This option allows the switch to dynamically learn the MAC addresses of the devices connected to the port and add them to the running configuration. If the port is shut down or the switch is restarted, the MAC addresses remain associated with the port and are not aged out. This way, the engineer can limit the number of MAC addresses per port and prevent unauthorized devices from accessing the network. The sticky option also allows the engineer to manually configure some MAC addresses and let the switch learn the rest. References:

Configuring Port Security - Cisco (Section: Allowing Traffic Based on the Host MAC Address)

How to configure port-security on Cisco Switch - NetworkLessons.com (Section: Sticky MAC addresses)

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 (Module 5.1.1)

Cisco Umbrella allows you to create custom destination lists that contain specific domains or IP addresses that you want to allow or block. You can then apply these destination lists to your policies to override the default behavior of Umbrella. For example, if you want to block specific addresses using Cisco Umbrella, you can create a destination list with those addresses and set the action to block. Then, you can assign this destination list to the policy that you want to modify. This way, any request to those addresses will be blocked by Umbrella, regardless of the content category or application settings12 References := 1: Manage Policies - Umbrella User Guide 2: Understanding Destination lists supported entries and error messages - Cisco Umbrella

 Cisco Container Platform (CCP) is a solution that simplifies the deployment and management of containerized applications across multiple clouds. It provides the following benefits to customers who utilize cloud service providers12:

Allows developers to create code once and deploy to multiple clouds. CCP is based on open source components, such as Kubernetes and Docker, that are compatible with various cloud platforms. This enables developers to write code once and run it anywhere, without worrying about the underlying infrastructure or vendor lock-in. CCP also supports hybrid and multicloud scenarios, allowing customers to leverage the best features of different cloud providers and optimize their costs and performance.

Manages Kubernetes clusters. CCP automates the installation, configuration, and maintenance of Kubernetes clusters, which are groups of nodes that run containerized applications. CCP provides a simple GUI-driven menu system to deploy clusters, as well as automated monthly updates for bug fixes, feature enhancements, and security patches. CCP also offers a choice of networking solutions, such as Cisco ACI, Calico, or Contiv, to connect and secure the clusters. CCP also integrates with Cisco AppDynamics and Prometheus for visibility and monitoring of the clusters and applications. References:

Cisco Container Platform - Cisco

Cisco Container Platform - At-a-Glance - Cisco

Explanation

A Proxy Auto-Configuration (PAC) file is a JavaScript function definition that determines whether web browser

requests (HTTP, HTTPS, and FTP) go direct to the destination or are forwarded to a web proxy server.

PAC files are used to support explicit proxy deployments in which client browsers are explicitly configured to

send traffic to the web proxy. The big advantage of PAC files is that they are usually relatively easy to create

and maintain.

The function of the crypto is a kmp key cisc406397954 address 0.0.0.0 0.0.0.0 command when establishing an IPsec VPN tunnel is to configure the pre-shared authentication key. This command specifies the key that will be used to authenticate the Internet Key Exchange (IKE) phase 1 negotiation between the IPsec peers. The key is associated with the address 0.0.0.0 0.0.0.0, which means that it will apply to any peer that initiates or responds to the IKE negotiation. This is a common configuration for dynamic IPsec VPN scenarios, such as Dynamic Multipoint VPN (DMVPN) or Easy VPN, where the IP addresses of the peers are not known in advance. However, this is also a less secure configuration, as it exposes the VPN server to potential brute-force attacks from any source. A more secure configuration would be to specify the exact IP address or subnet of the peer, or to use certificates instead of pre-shared keys.

 IKEv1 is the authentication protocol that is reliable and supports ACK and sequence for IPsec VPN. IKEv1 is a key management protocol that is used in conjunction with IPsec to establish secure and authenticated connections between IPsec peers. IKEv1 uses UDP port 500 and consists of two phases: phase 1 and phase 2. In phase 1, the peers authenticate each other and negotiate a shared secret key that is used to encrypt the subsequent messages. In phase 2, the peers negotiate the security parameters for the IPsec tunnel, such as the encryption and authentication algorithms, the lifetime, and the mode (transport or tunnel). IKEv1 uses ACK and sequence numbers to ensure the reliability and integrity of the messages exchanged between the peers. ACK is an acknowledgment message that confirms the receipt of a previous message. Sequence number is a unique identifier that is assigned to each message to prevent replay attacks and to detect missing or out-of-order messages. IKEv1 also supports various authentication methods, such as pre-shared keys, digital certificates, and extended authentication (XAUTH). References : Internet Key Exchange for IPsec VPNs Configuration Guide, Security for VPNs with IPsec Configuration Guide, IPSec Architecture

Flood attacks are a type of denial-of-service (DoS) attacks that aim to saturate the bandwidth or resources of a target by sending a large number of packets or requests. Flood attacks can be classified into different categories based on the protocol or layer they target, such as ICMP, UDP, TCP SYN, HTTP, DNS, etc. Flood attacks can also be distributed (DDoS) if they involve multiple sources of attack traffic, such as compromised devices or servers123. References := 1: Denial of Service - OWASP Cheat Sheet Series 2: What is a denial-of-service (DoS) attack? | Cloudflare 3: Types of DOS attacks - GeeksforGeeks

The purpose of a Denial-of-Service (DoS) attack is to disrupt the normal operation of a targeted system, server, or network by overwhelming it with a flood of internet traffic. This is achieved by utilizing multiple compromised computer systems as sources of attack traffic. The overwhelming amount of traffic can cause the targeted system to slow down significantly or even crash and become unavailable to legitimate users, thereby denying service to intended users.

The Web Security Appliance (WSA) supports different authentication protocols and schemes to acquire end-user credentials. The most common protocols are NTLMSSP and Kerberos, which are both supported by Active Directory realms. NTLMSSP is a challenge-response authentication protocol that uses a hash of the user’s password to authenticate. Kerberos is a ticket-based authentication protocol that uses a trusted third-party (the Key Distribution Center) to issue tickets to the user and the service. Both protocols are more secure and widely supported than Basic authentication, which sends the user’s credentials in clear text. CHAP, TACACS+, and RADIUS are not supported by the WSA for end-user authentication, although they can be used for external authentication of administrators or for credential encryption. References: 1, 2, 3

https://www.cisco.com/c/en/us/products/collateral/security/web-security-appliance/guide-c07-742373.html

https://frontegg.com/blog/authentication