Cisco 350-701 - Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)

Explanation

Community Cloud allows system and services to be accessible by group of organizations. It shares the

infrastructure between several organizations from a specific community. It may be managed internally by

organizations or by the third-party.

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/access_control_using_intrusion_and_file_policies.html#:~:text=File%20Policies-,Access%20Control%20Traffic%20Handling%20with%20Intrusion%20and%20File%20Policies,-The%20following%20diagram

the first three access control rules in the policy—Monitor, Trust, and Block—cannot inspect matching traffic. Monitor rules track and log but do not inspect network traffic, so the system continues to match traffic against additional rules to determine whether to permit or deny it

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/access_control_rules.html#:~:text=Rule%20Blocking%20Actions-,Access%20Control%20Rule%20Allow%20Action,network%20discovery%20policy%3B%20additionally%2C%20application%20discovery%20is%20limited%20for%20encrypted%20sessions.,-Related%20Concepts

sfr {fail-open | fail-close [monitor-only]} <- There's a couple different options here. The first one is fail-open which means that if the Firepower software module is unavailable, the ASA will continue to forward traffic. fail-close means that if the Firepower module fails, the traffic will stop flowing. While this doesn't seem ideal, there might be a use case for it when securing highly regulated environments. The monitor-only switch can be used with both and basically puts the Firepower services into IDS-mode only. This might be useful for initial testing or setup.

 Multifactor authentication (MFA) is a solution that requires the user to provide two or more verification factors to gain access to a resource, such as an application, online account, or a VPN. MFA is more secure than the traditional use of a username and password because it reduces the risk of identity theft, phishing, and credential compromise. MFA can use different types of factors, such as something the user knows (e.g., password, PIN), something the user has (e.g., smartphone, token, smart card), or something the user is (e.g., fingerprint, facial recognition). MFA can be implemented using various methods, such as security defaults, Conditional Access policies, or third-party solutions123. References:

https://support.microsoft.com/en-us/topic/what-is-multifactor-authentication-e5e39437-121c-be60-d123-eda06bddf661

https://www.onelogin.com/learn/what-is-mfa

The Secure Event Connector is a component of the Security Analytics and Logging (SaaS) solution that enables the FMC to send logs to the cloud-based service. The Secure Event Connector uses syslog to forward events from the FMC and the managed devices to the cloud. This method reduces the load on the firewall resources, as the events are sent in batches and compressed before transmission. The Secure Event Connector also provides encryption, authentication, and reliability for the log data. The other methods are not supported by the Security Analytics and Logging (SaaS) solution12 References := 1: Cisco Security Analytics and Logging (On Premises)

Explanation

In order to use AAA along with an external token authentication mechanism, set the “Method” as “Both” in

the Authentication.

One of the key capabilities of endpoint security is to prevent phishing attacks by ensuring that antivirus and anti malware software is up to date. This helps to detect and block malicious attachments or links that may be embedded in phishing emails. Antivirus and anti malware software can also scan the endpoint for any signs of compromise or infection that may have resulted from a successful phishing attack. Additionally, endpoint security can provide data loss prevention (DLP) features that can prevent sensitive data from being exfiltrated by attackers who have gained access to the endpoint through phishing. References :=

Some possible references are:

Endpoint Security and Phishing: What to Know

Protect Against Spear Phishing with Endpoint Security

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 (source book)

Explanation

Explanation

… we will showcase Cisco Threat Intelligence Director (CTID) an exciting feature on Cisco’s Firepower

Management Center (FMC) product offering that automates the operationalization of threat intelligence. TID has the ability to consume threat intelligence via STIX over TAXII and allows uploads/downloads of STIX and simple blacklists. Reference: https://blogs.cisco.com/developer/automate-threat-intelligence-using-cisco-threat-intelligencedirector

To add switches into the fabric for private cloud management, administrators can use the following two methods:

PowerOn Auto Provisioning (POAP): This method allows the switches to be automatically discovered and provisioned by DCNM using a POAP configuration file. The switches are assigned an IP address and a startup configuration based on the fabric settings and policies. The switches are then added to the fabric and deployed with the VXLAN EVPN configuration. This method is suitable for greenfield deployments or adding new switches to an existing fabric12.

Seed IP: This method allows the administrators to manually specify the IP address of the switches that they want to add to the fabric. The switches must have a reachable IP address and a username and password that match the fabric settings. The switches are then added to the fabric and deployed with the VXLAN EVPN configuration. This method is suitable for brownfield deployments or transitioning existing switches to DCNM management12. References: Cisco NDFC Fabric Controller Configuration Guide, Release 12.0.x, Cisco DCNM LAN Fabric Configuration Guide, Release 11.5(x).

Explanation

The HMAC-SHA-1-96 (also known as HMAC-SHA-1) encryption technique is used by IPSec to ensure that a message has not been altered. (-> Therefore answer “integrity” is the best choice). HMAC-SHA-1 uses the SHA-1 specified in FIPS-190-1, combined with HMAC (as per RFC 2104), and is described in RFC 2404.

Explanation

A trustpoint enrollment mode, which also defines the trustpoint authentication mode, can be performed via 3 main methods:

1. Terminal Enrollment – manual method of performing trustpoint authentication and certificate enrolment using copy-paste in the CLI terminal.

2. SCEP Enrollment – Trustpoint authentication and enrollment using SCEP over HTTP.

3. Enrollment Profile – Here, authentication and enrollment methods are defined separately. Along with terminal and SCEP enrollment methods, enrollment profiles provide an option to specify HTTP/TFTP commands to perform file retrieval from the Server, which is defined using an authentication or enrollment url under the profile.

 The RADIUS CoA feature supports five IETF attributes as defined in RFC 5176. These are:

Event-Timestamp: This attribute indicates the time when the CoA request was generated by the server.

State: This attribute contains a value that is copied from the Access-Accept message that authorized the session.

Session-Timeout: This attribute specifies the maximum number of seconds of service provided to the user before termination of the session or prompt.

Idle-Timeout: This attribute specifies the maximum number of consecutive seconds of idle connection allowed to the user before termination of the session or prompt.

Filter-Id: This attribute identifies the filter list to be applied to the user session.

The RADIUS CoA feature also supports vendor-specific attributes (VSAs) that are defined by Cisco or other vendors. These VSAs can be used to perform additional actions such as port shutdown, port bounce, or security and password accounting. References :=

Some possible references are:

RFC 5176: This document describes the dynamic authorization extensions to RADIUS, including the CoA request and response codes, and the supported IETF attributes.

RADIUS Change of Authorization - Cisco: This document provides the configuration guide for the RADIUS CoA feature on Cisco IOS devices, including the supported IETF and Cisco VSAs.

Supported IETF attributes in RFC 5176 - Ruckus Networks: This document lists the supported IETF attributes and error clause values for the RADIUS CoA feature on Ruckus devices.

V