Pass the Cisco CCNP Security 350-701 Questions and answers with ValidTests

the interface configuration. MAB stands for MAC Authentication Bypass, which is a feature that allows devices that do not support 802.1X, such as printers and video cameras, to bypass the authentication process and gain network access based on their MAC addresses1. By adding mab to the interface configuration, the Cisco ISE administrator can enable MAB as a fallback method after 802.1X fails or times out. This way, the devices that support 802.1X can use their machine certificate credentials, while the devices that do not support 802.1X can use their MAC addresses to authenticate with Cisco ISE2. The other options are not correct because they either compromise the security controls or do not address the problem. Changing the default policy in Cisco ISE to allow all devices not using machine authentication would weaken the security posture and expose the network to unauthorized access. Enabling insecure protocols within Cisco ISE in the allowed protocols configuration would also reduce the security level and increase the risk of attacks. Configuring authentication event fail retry 2 action authorize vlan 41 on the interface would only apply to the devices that fail authentication twice, and would not solve the issue for the devices that do not support 802.1X at all3. References:

1: MAC Authentication Bypass Deployment Guide

2: Configuring MAC Authentication Bypass

3: Cisco Identity Services Engine Administrator Guide, Release 3.1 - Segmentation

Device compliance checks are used to verify that the devices managed by Intune meet the security and configuration requirements defined by the organization. Device compliance checks can use various parameters to evaluate the device state, such as:

Endpoint protection software version: This parameter checks if the device has a valid and up-to-date antivirus or antimalware software installed and running. This parameter helps to protect the device from malicious software and network attacks.

Device operating system version: This parameter checks if the device has the minimum or maximum operating system version supported by the organization. This parameter helps to ensure that the device has the latest security patches and features available.

Windows registry values: This parameter checks if the device has specific registry values configured or not. This parameter helps to enforce custom settings or policies on the device that are not covered by other parameters.

DHCP snooping checks: This parameter checks if the device is connected to a trusted network that uses DHCP snooping to prevent rogue DHCP servers from assigning IP addresses to the device. This parameter helps to prevent man-in-the-middle attacks and network spoofing.

DNS integrity checks: This parameter checks if the device is using a secure and reliable DNS server that can resolve domain names correctly and prevent DNS hijacking or poisoning. This parameter helps to prevent phishing and redirection attacks.

References :=

Some possible references are:

Device compliance policies in Microsoft Intune | Microsoft Learn, Microsoft

Monitor results of your device compliance policies in Microsoft Intune | Microsoft Learn, Microsoft

Check device access | Microsoft Learn, Microsoft

Ensure device compliance - Configuration Manager | Microsoft Learn, Microsoft

Endpoint-based security is the solution for performing signature-based application control, which is a method of identifying and blocking malicious applications based on their signatures or hashes. Signature-based application control is one of the features of endpoint security solutions, such as Cisco AMP for Endpoints1, that protect endpoints from known and unknown threats. Endpoint security solutions can also perform other functions, such as behavioral analysis, sandboxing, machine learning, and threat hunting, to provide comprehensive protection, detection, and response on the endpoint2. The other options are not scenarios where endpoint-based security is the solution. Inspecting encrypted traffic requires a network-based security solution, such as Cisco SSL Appliance3, that can decrypt and inspect the traffic for malicious content. Device profiling and authorization requires a network access control solution, such as Cisco Identity Services Engine4, that can identify and authenticate devices and users and enforce policies based on their roles and contexts. Inspecting a password-protected archive requires a file analysis solution, such as Cisco Threat Grid5, that can extract and analyze the contents of the archive for malware and indicators of compromise. References :=

Cisco AMP for Endpoints

What is Endpoint Security? How Does It Work?

Cisco SSL Appliance

Cisco Identity Services Engine

Cisco Threat Grid

 Cisco FTD is the recommended solution for this requirement because it allows the administrator to configure URL filtering as part of the access control policy. URL filtering in FTD can block or allow traffic based on the destination URL of a web request, the generalized category of the URL, or the public reputation of the target site. FTD can also use HTTPS URL filtering to inspect encrypted web traffic and block malicious or unwanted sites. FTD supports both local URL lists and external URL filtering servers such as Cisco Talos Intelligence Group (TIG), Websense, or SmartFilter12.

Cisco ASA does not include URL filtering in the access control policy capabilities. ASA can only enable URL filtering for web traffic using external filtering servers such as Websense or SmartFilter. ASA cannot block HTTPS or FTP traffic based on URLs, nor can it use local URL lists or categories. ASA also does not block malicious URLs by default, but relies on the filtering server’s configuration34.

Therefore, option C is the correct answer, and the other options are incorrect. References :=

FTD URL Filtering - How it works? - Cisco Community

Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.2.3 - Access Control

Configuring Filtering Services - Cisco

Configuring URL Filtering - Cisco

Cisco Stealthwatch - rapidly collects and analyzes netflow and telementy data to deliver in-depth visibility and understanding of network traffic

Cisco ISE – obtains contextual identity and profiles for all users and device

Cisco TrustSec – software defined segmentation that uses SGTs

Cisco Umbrella – secure internet gateway ion the cloud that provides a security solution

Explanation

The Trusted Automated eXchangeof Indicator Information (TAXII) specifies mechanisms for exchanging

structured cyber threat information between parties over the network.

TAXII exists to provide specific capabilities to those interested in sharing structured cyber threat information.

TAXII Capabilities are the highest level at which TAXII actions can be described. There are three capabilities

that this version of TAXII supports: push messaging, pull messaging, and discovery.

Although there is no “binding” capability in the list but it is the best answer here.

In Cisco Secure Endpoint, to create a custom detection file list for detecting and quarantining future files, an advanced custom detection should be created, and the hash of each file to be detected and quarantined should be uploaded. This allows the system to uniquely identify and take action on files based on their hash values, providing a precise method for targeting specific malicious or unwanted files.

Explanation

The TLS connections are recorded in the mail logs, along with other significant actions that are related to

messages, such as filter actions, anti-virus and anti-spam verdicts, and delivery attempts. If there is a

successful TLS connection, there will be a TLS success entry in the mail logs. Likewise, a failed TLS

connection produces a TLS failed entry. If a message does not have an associated TLS entry in the log file, that message was not delivered over a TLS connection.

The result of using this authentication protocol in the configuration is that the authentication and authorization requests are grouped in a single packet. This is because the configuration uses RADIUS as the AAA protocol, which combines both authentication and authorization functions in one process. RADIUS is facilitated through AAA and can be enabled only through AAA commands. The aaa new-model global configuration command enables AAA, and the radius-server host command specifies the IP address and the shared secret key of the RADIUS server. The aaa authentication command defines the method list for RADIUS authentication, and the aaa group server command defines the group name and the members of the group. The line and interface commands enable the defined method list to be used. When a user tries to access the router, the router sends a single Access-Request packet to the RADIUS server, which contains the user credentials and other attributes. The RADIUS server then verifies the credentials and returns either an Access-Accept packet, which grants access and may include authorization information, or an Access-Reject packet, which denies access. Therefore, the correct answer is D. References:

Security Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst …

Configuring Basic AAA on an Access Server - Cisco

AAA Server Priority explained with New Radius Server Command Line

Configuring AAA on Cisco Devices – RADIUS and TACACS+ - Study-CCNA

Cisco Umbrella is a cloud-delivered security service that provides DNS-layer security, secure web gateway, firewall, cloud access security broker, and threat intelligence functions. It helps improve security visibility, detect compromised systems, and protect your users on and off the network by stopping threats over any port or protocol before they reach your network or endpoints1. One of the benefits of using Cisco Umbrella is that it can block threats before they launch, reducing response times, and delivering safe, secure internet with Umbrella’s cloud tools2. By intercepting DNS requests and applying security policies, Umbrella can prevent malicious connections from being established, and mitigate attacks before the application connection occurs3. This can also reduce bandwidth costs and improve performance by filtering out unwanted traffic1. References: 1: The Essential Benefits of Cisco Umbrella 2: 5 Reasons to Try Cisco Umbrella Now 3: Why choose Cisco Umbrella for cybersecurity protection