Cisco 350-701 - Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)

Explanation

Explanation

Many enterprises prefer to deploy development workloads in the public cloud, primarily for convenience and

faster deployment. This approach can cause concern for IT administrators, who must control the flow of IT

traffic and spending and help ensure the security of data and intellectual property. Without the proper controls,

data and intellectual property can escape this oversight. The Cisco Intercloud Fabric solution helps control this

shadow IT, discovering resources deployed in the public cloud outside IT control and placing these resources

under Cisco Intercloud Fabric control.

Cisco Intercloud Fabric addresses the cloud deployment requirements appropriate for two hybrid cloud

deployment models: Enterprise Managed (an enterprise manages its own cloud environments) and Service

Provider Managed (the service provider administers and controls all cloud resources).

A network discovery policy is required for the health monitoring feature on the Cisco Firepower Next Generation Intrusion Prevention System (NGIPS). Health monitoring allows the system to collect and display information about the health and performance of the managed devices, such as CPU, memory, disk, and interface utilization, as well as the status of various processes and services. Health monitoring also enables the system to generate alerts and notifications when certain thresholds or conditions are met or violated.

To enable health monitoring, the system must have access to the network data from the managed devices, which is provided by the network discovery policy. The network discovery policy controls how the system collects data on the network assets and which network segments and ports are monitored. The network discovery policy also specifies the zones to which the policy is deployed, which determines the scope of the health monitoring data. Without a network discovery policy, the system cannot perform health monitoring on the NGIPS devices.

References :=

1: Network Discovery Policies, Cisco Firepower Management Center Configuration Guide, Version 7.0, page 1. 2: Health Monitoring, Cisco Firepower Management Center Configuration Guide, Version 7.0, page 1.

Workloaded security models are ways of protecting applications, services, and capabilities that run on a cloud resource. Virtual machines, databases, containers, and applications are all considered cloud workloads. There are different types of cloud deployment models, such as public, private, hybrid, and multicloud. Depending on the deployment model, the cloud workload security can vary in terms of responsibility, visibility, and control.

Infrastructure as a service (IaaS) is a cloud deployment model where the cloud provider offers the basic computing infrastructure, such as servers, storage, and networking, as a service. The customer is responsible for installing, configuring, and managing the operating systems, applications, and security of the workloads that run on the cloud infrastructure. IaaS provides the customer with more flexibility and control over the workload security, but also more complexity and overhead.

On-premises is a deployment model where the customer owns and operates the entire IT infrastructure, including the hardware, software, and security. The customer has full responsibility and control over the workload security, but also the highest cost and maintenance. On-premises deployment can offer more security and compliance than cloud deployment, depending on the customer’s security posture and practices.

https://www.cisco.com/site/us/en/products/security/secure-workload/index.html

https://www.checkpoint.com/cyber-hub/cloud-security/what-is-cloud-workload-security/

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_client_posture_policies.html#:~:text=Policy%20Requirement%20Types-,Mandatory%20Requirements,the%20requirements%20within%20the%20time%20specified%20in%20the%20remediation%20timer%20settings.,-For%20example%2C%20you

Mandatory Requirements During policy evaluation, the agent provides remediation options to clients who fail to meet the mandatory requirements defined in the posture policy. End users must remediate to meet the requirements within the time specified in the remediation timer settings

 The application blocking list is an outbreak control method that allows the administrator to block certain files from executing on the endpoints based on their SHA values. This can prevent malware from running on the endpoints and causing damage. The other options are not outbreak control methods, but rather different features of AMP for endpoints. Device flow correlation is a network analysis feature that monitors connections and detects malicious activity. Simple detections and advanced custom detections are custom rules that can be created by the administrator to detect and block files based on signatures or other criteria. References:

Configure Windows Policy in AMP for Endpoints - Cisco

Prevent, Detect and Respond with Cisco AMP for Endpoints

 The dot1x system-auth-control command enables 802.1X globally on a Cisco switch. This command allows the switch to act as an authenticator for 802.1X clients connected to the switch ports. The switch will then communicate with a RADIUS server to authenticate the clients and grant or deny access to the network. The other commands are not related to enabling 802.1X globally. The dot1x pae authenticator command enables 802.1X authentication on a specific interface. The authentication port-control aut command enables automatic port-based authentication on an interface. The aaa new-model command enables the AAA framework for authentication, authorization, and accounting. References :=

https://www.cisco.com/c/en/us/support/docs/smb/switches/cisco-small-business-300-series-managed-switches/smb5635-configure-global-802-1x-properties-on-a-switch-through-the-c.html

https://www.cisco.com/c/en/us/td/docs/routers/nfvis/switch_command/b-nfvis-switch-command-reference/802_1x_commands.html

In a man-in-the-middle (MITM) attack, the attacker inserts their machine between two hosts that are communicating with each other, and secretly relays and possibly alters the messages between them. The attacker can intercept, modify, or spoof the data, and the hosts are unaware that their communication is compromised. A MITM attack can target any communication channel that uses weak or no encryption, such as email, web, or wireless networks. A MITM attack can break the confidentiality, integrity, and authenticity of the communication, and can have various goals, such as eavesdropping, stealing credentials, impersonating a legitimate party, or redirecting traffic. A MITM attack can be prevented by using strong encryption protocols, such as TLS, IPSec, or SSH, and verifying the identity of the communication endpoints using certificates or other means. References: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Man-in-the-middle attack - Wikipedia, Man-in-the-Middle Attack: Types and Examples - Fortinet

The crypto isakmp identity hostname command is required to define the identity used by the router when participating in the Internet Key Exchange protocol. This command is needed when you specify preshared keys for authentication. The ip name-server command is required to specify the IP address of the DNS server that can resolve the FQDN of the remote peer. This command is needed when you use the crypto isakmp key command with the hostname option instead of the address option. The other commands are not required or correct for this scenario. References: 1, 2, 3

A NetFlow version 9 template record is a record that contains information about the fields that will be present in the data records that follow the template. A template record consists of a template ID, a field count, and a list of field types and lengths. A template record is sent periodically by the NetFlow exporter to the NetFlow collector, so that the collector can parse and interpret the data records correctly. A template record can also be requested by the collector using an options template record. The purpose of a template record is to define the format of data records, which contain the actual information about the IP flows1234.

A. It specifies the data format of NetFlow processes. - This is incorrect, because a template record does not specify the data format of NetFlow processes, but rather the data format of data records. NetFlow processes are the functions that perform flow creation, aggregation, export, and analysis on the NetFlow device or the collector. B. It provides a standardized set of information about an IP flow. - This is incorrect, because a template record does not provide any information about an IP flow, but rather the information about the fields that will be present in the data records. The data records are the ones that provide the information about an IP flow, such as source and destination IP addresses, ports, protocols, bytes, packets, timestamps, and so on. C. It defines the format of data records. - This is correct, because a template record defines the format of data records by specifying the field types and lengths that will be present in the data records. A template record allows the NetFlow collector to parse and interpret the data records correctly, and also enables the NetFlow exporter to use different formats for different types of flows. D. It serves as a unique identification number to distinguish individual data records. - This is incorrect, because a template record does not serve as a unique identification number, but rather as a description of the fields. A template record has a template ID, which is a 16-bit value that identifies the template record uniquely within an export packet, but this ID is not used to distinguish individual data records. The data records are distinguished by their position within the export packet and their association with a template record.

References := 1: NetFlow Version 9 Flow-Record Format [IP Application Services] - Cisco … 2: NetFlow V9 formats - IBM 3: Netflow :: Version 9 - Caligare 4: NetFlow Versions > NetFlow for Cybersecurity | Cisco Press

Cisco ISE uses probes to collect endpoint attributes that are used in profiling. Probes are software modules that run on the ISE Policy Service Nodes (PSNs) and gather information about the endpoints connected to the network. Probes can use various protocols and methods to collect endpoint attributes, such as RADIUS, DHCP, SNMP, HTTP, DNS, NetFlow, NMAP, Active Directory, and Cisco pxGrid. The collected attributes are then matched to predefined or custom conditions that define the endpoint profiles. Endpoint profiling enables ISE to identify and classify the endpoints and apply the appropriate policies based on their identity, role, and context12. References: 1: Cisco ISE 2.4 Endpoint Profiling - Cisco 2: How To Create an Endpoint Profile - Cisco Community

The Python script code snippet for the Cisco ASA REST API is used to add a global rule into policies. The script uses the urllib2 module to create an HTTP request with the URL, headers, and post_data. The post_data is a JSON object that contains the parameters for the global rule, such as the destination service, the source address, the permit value, and the position. The script also uses the base64 module to encode the username and password for authentication. The script then sends the request to the ASA REST API and prints the status code and the response. If the status code is 201, it means the operation was successful and the global rule was added. If the status code is not 201, it means there was an error and the script prints the JSON error message. The script also handles any HTTP errors and value errors that might occur during the execution. References:

Cisco ASA REST API Quick Start Guide

Configure Secure Access to Use REST API with Python

GitHub - timwukp/Cisco-ASA-REST-API