Cisco 350-701 - Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)

A network discovery policy is required for the health monitoring feature on the Cisco Firepower Next Generation Intrusion Prevention System (NGIPS). Health monitoring allows the system to collect and display information about the health and performance of the managed devices, such as CPU, memory, disk, and interface utilization, as well as the status of various processes and services. Health monitoring also enables the system to generate alerts and notifications when certain thresholds or conditions are met or violated.

To enable health monitoring, the system must have access to the network data from the managed devices, which is provided by the network discovery policy. The network discovery policy controls how the system collects data on the network assets and which network segments and ports are monitored. The network discovery policy also specifies the zones to which the policy is deployed, which determines the scope of the health monitoring data. Without a network discovery policy, the system cannot perform health monitoring on the NGIPS devices.

References :=

1: Network Discovery Policies, Cisco Firepower Management Center Configuration Guide, Version 7.0, page 1. 2: Health Monitoring, Cisco Firepower Management Center Configuration Guide, Version 7.0, page 1.

 The open standard that creates a framework for sharing threat intelligence in a machine-digestible format is STIX (Structured Threat Information Expression). STIX is a language and serialization format that enables the exchange of cyber threat information across organizations, tools, and platforms. STIX defines a common vocabulary and data model for representing various types of threat intelligence, such as indicators, observables, incidents, campaigns, threat actors, courses of action, and more. STIX also supports the expression of context, relationships, confidence, and handling of the threat information. STIX aims to improve the speed, accuracy, and efficiency of threat detection, analysis, and response.

STIX is often used in conjunction with TAXII (Trusted Automated Exchange of Indicator Information), which is a protocol and transport mechanism that enables the secure and automated communication of STIX data. TAXII defines how to request, send, receive, and store STIX data using standard methods and formats, such as HTTPS, JSON, and XML. TAXII supports various exchange models, such as hub-and-spoke, peer-to-peer, or subscription-based. TAXII enables the interoperability and scalability of threat intelligence sharing among different systems and organizations.

Transparent traffic redirection using WCCP is a deployment mode for the Cisco WSA that allows it to intercept and proxy web requests from client applications without requiring any configuration on the clients. This mode increases the visibility and control of web traffic, while making the proxy function invisible to the users. To support this mode, the Cisco WSA must be configured to use the transparent proxy mode, which enables it to listen on ports 80 and 443 for HTTP and HTTPS traffic, respectively. The Cisco WSA must also be configured to use WCCP service IDs, which are numerical identifiers that specify the type and range of ports to be redirected. For example, service ID 0 (web-cache) redirects port 80, service ID 70 (https-cache) redirects port 443, and service ID 60 (ftp-native) redirects port 21 and a range of passive FTP ports. The Cisco WSA must also be configured to join a WCCP group, which is a set of WCCP routers or switches that cooperate to redirect traffic to the WSA. The WCCP group can be specified by a group list, which is an access list that defines the IP addresses of the WCCP routers or switches, or by a password, which is a shared secret that authenticates the WCCP communication. The WCCP group must also be configured on the network device that performs the traffic redirection, such as a Cisco router, switch, or ASA firewall. The network device must support WCCPv2, which is the latest version of the protocol that allows for advanced features such as load balancing, encryption, and GRE encapsulation. The network device must also be configured to use the same WCCP service IDs and group list or password as the Cisco WSA. The network device must also be configured to apply the WCCP redirection to the appropriate interface and direction, such as the inside interface and inbound direction for traffic originating from the internal network. The network device must also be configured to use an access list that defines the traffic to be redirected or bypassed, such as the source and destination IP addresses, ports, and protocols. The access list can also be used to exclude certain traffic from WCCP redirection, such as traffic to private or internal destinations, or traffic from specific hosts123 References := 1: Configure Transparent Redirection With WCCP in Order to Redirect Native FTP Traffic - Cisco 2: Solved: Transparent Redirection - Cisco Community 3: Cisco WSA : Is it possible to use web proxy in transparent mode without WCCP - Cisco Community

DHCP option 82 is a feature that allows the network access device (NAD) to insert additional information into the DHCP request packet from the endpoint. This information can include the switch ID, port number, VLAN ID, and other attributes that can help Cisco ISE to identify and profile the endpoint. Cisco ISE can use DHCP option 82 to assign the endpoint to the appropriate identity group, policy, and authorization profile. DHCP option 82 is also useful to prevent rogue DHCP servers from assigning IP addresses to endpoints, as Cisco ISE can verify the legitimacy of the DHCP request based on the option 82 data. To use DHCP option 82, the NAD must be configured to enable this feature and send the option 82 data to Cisco ISE. Cisco ISE must also be configured to accept and parse the option 82 data from the NAD. For more details on how to configure DHCP option 82 on Cisco ISE and NAD, see the references below. References:

Configuring the DHCP Probe

Securing Your Network From DHCP Risks

Can we use ISE as DHCP/DNS server to prevent guest traffic using …

A teardrop attack is a type of DoS attack that uses fragmented packets in an attempt to crash a target machine. The attacker sends IP packets that are deliberately malformed, such that the fragments overlap or have invalid offsets. When the target machine tries to reassemble the packets, it encounters an error or a buffer overflow, resulting in a system crash or a denial of service. Teardrop attacks exploit a vulnerability in the TCP/IP fragmentation reassembly process, which is responsible for splitting and recombining large packets that exceed the maximum transmission unit (MTU) size. Teardrop attacks can affect various operating systems, such as Windows, Linux, and BSD, depending on the implementation of the TCP/IP stack. Teardrop attacks are also known as IP fragmentation attacks or overlapping fragment attacks. References:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 5: Securing the Cloud, Lesson 5.2: Cloud Security Threats, Topic 5.2.2: DoS Attacks

What is an IP Fragmentation Attack (Teardrop ICMP/UDP)

Teardrop Attack - Radware

What Is a Teardrop Attack? | F5

Configure a Crypto ISAKMP Key

In order to configure a preshared authentication key, enter the crypto isakmp key command in global configuration mode:

crypto isakmp key cisco123 address 172.16.1.1

https://community.cisco.com/t5/vpn/isakmp-with-0-0-0-0-dmvpn/td-p/4312380

It is a bad practice but it is valid. 172.16.0.0/16 the full range will be accepted as possible PEER

https://www.examtopics.com/discussions/cisco/view/46191-exam-350-701-topic-1-question-71-discussion/#:~:text=Command%20reference%20is%20not%20decisive,172.16.1.128%20cisco123%0ACSR%2D1(config)%23

Testing without a netmask shows that command interpretation has a preference for /16 and /24. CSR-1(config)#crypto isakmp key cisco123 address 172.16.0.0

CSR-1(config)#do show crypto isakmp key | i cisco

default 172.16.0.0 [255.255.0.0] cisco123

CSR-1(config)#no crypto isakmp key cisco123 address 172.16.0.0

CSR-1(config)#crypto isakmp key cisco123 address 172.16.1.0

CSR-1(config)#do show crypto isakmp key | i cisco

default 172.16.1.0 [255.255.255.0] cisco123

CSR-1(config)#no crypto isakmp key cisco123 address 172.16.1.0

CSR-1(config)#crypto isakmp key cisco123 address 172.16.1.128

CSR-1(config)#do show crypto isakmp key | i cisco default 172.16.1.128 cisco123

CSR-1(config)#

Explanation

All IKE policies on the device are sent to the remote peer regardless of what is in the selected policy section.

The first IKE Policy matched by the remote peer will be selected for the VPN connection. Choose which policy is sent first using the priority field. Priority 1 will be sent first.

Explanation

The term ‘rootkit’ originally comes from the Unix world, where the word ‘root’ is used to describe a user with the

highest possible level of access privileges, similar to an ‘Administrator’ in Windows. The word ‘kit’ refers to the

software that grants root-level access to the machine. Put the two together and you get ‘rootkit’, a program that

gives someone – with legitimate or malicious intentions – privileged access to a computer.

There are four main types of rootkits: Kernel rootkits, User mode rootkits, Bootloader rootkits, Memory rootkits

Based on the configuration script in the image, the interface GigabitEthernet0/0/18 is configured for both 802.1X and MAB authentication. The command authentication port-control auto enables 802.1X authentication on the port, while the command dot1x pae authenticator enables the port to act as an authenticator. The command authentication host-mode multi-domain enables MAB authentication on the port, and allows two devices to be authenticated, one in the voice VLAN and one in the data VLAN. Therefore, when a device tries to connect to the port, the switch will first attempt 802.1X authentication, and if it fails, it will fall back to MAB authentication using the device’s MAC address. The switch will then contact the ISE server, which is configured as the RADIUS server group ise-group, to verify the device’s credentials and assign the appropriate access level based on the ISE policy. The ISE policy can also dynamically assign VLANs, ACLs, or service policies to the device based on its identity and posture. References :=

Some possible references are:

[Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0], Module 6: Secure Connectivity, Lesson 6.2: Implementing Site-to-Site VPNs, Topic 6.2.2: Group Encrypted Transport VPN

Cisco IOS Security Configuration Guide, Release 15M&T - Configuring IEEE 802.1x Port-Based Authentication

Cisco IOS Security Configuration Guide, Release 15M&T - Configuring MAC Authentication Bypass

Cisco Identity Services Engine Administrator Guide, Release 2.7 - Configure Wired 802.1X and MAB

the interface configuration. MAB stands for MAC Authentication Bypass, which is a feature that allows devices that do not support 802.1X, such as printers and video cameras, to bypass the authentication process and gain network access based on their MAC addresses1. By adding mab to the interface configuration, the Cisco ISE administrator can enable MAB as a fallback method after 802.1X fails or times out. This way, the devices that support 802.1X can use their machine certificate credentials, while the devices that do not support 802.1X can use their MAC addresses to authenticate with Cisco ISE2. The other options are not correct because they either compromise the security controls or do not address the problem. Changing the default policy in Cisco ISE to allow all devices not using machine authentication would weaken the security posture and expose the network to unauthorized access. Enabling insecure protocols within Cisco ISE in the allowed protocols configuration would also reduce the security level and increase the risk of attacks. Configuring authentication event fail retry 2 action authorize vlan 41 on the interface would only apply to the devices that fail authentication twice, and would not solve the issue for the devices that do not support 802.1X at all3. References:

1: MAC Authentication Bypass Deployment Guide

2: Configuring MAC Authentication Bypass

3: Cisco Identity Services Engine Administrator Guide, Release 3.1 - Segmentation