Cisco 350-701 - Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)

Explanation

The TLS connections are recorded in the mail logs, along with other significant actions that are related to

messages, such as filter actions, anti-virus and anti-spam verdicts, and delivery attempts. If there is a

successful TLS connection, there will be a TLS success entry in the mail logs. Likewise, a failed TLS

connection produces a TLS failed entry. If a message does not have an associated TLS entry in the log file, that message was not delivered over a TLS connection.

 ESP (Encapsulating Security Payload) is a cryptographic process that provides origin confidentiality, integrity, and origin authentication for packets. ESP encrypts the payload of an IP packet with a symmetric key, and adds a header and a trailer to the packet. The header contains a security parameter index (SPI) and a sequence number, which are used to identify the security association (SA) and prevent replay attacks. The trailer contains padding and a next header field, which are used to align the packet and indicate the type of the original payload. ESP also adds an authentication data field at the end of the packet, which contains a message authentication code (MAC) that is computed over the entire ESP packet (except for the authentication data field itself) using a secret key and a hash function. The MAC provides data integrity and origin authentication for the packet. ESP can operate in two modes: tunnel mode and transport mode. In tunnel mode, ESP encapsulates the entire original IP packet, including the IP header, and adds a new IP header. This mode provides protection for the entire packet, but adds more overhead. In transport mode, ESP only encapsulates the payload of the original IP packet, and leaves the IP header intact. This mode provides protection only for the payload, but preserves the original IP header information. ESP is one of the two main protocols of IPsec, along with AH (Authentication Header). AH only provides data integrity and origin authentication, but not confidentiality. AH adds a header to the IP packet, which contains a MAC that is computed over the immutable fields of the IP header and the entire payload. AH does not encrypt the payload, and therefore does not protect it from eavesdropping. AH can also operate in tunnel mode or transport mode, but it is incompatible with NAT devices, which modify the IP header fields. IKE (Internet Key Exchange) is a protocol that is used to establish and manage SAs for IPsec. IKE negotiates the security parameters, such as the encryption and authentication algorithms, the keys, and the SPIs, for the IPsec protocols. IKE also performs mutual authentication between the IPsec peers, and establishes a secure channel for exchanging keying material. IKE has two versions: IKEv1 and IKEv2. IKEv1 consists of two phases: phase 1 and phase 2. In phase 1, IKEv1 establishes an IKE SA, which is a secure channel for phase 2. In phase 2, IKEv1 negotiates one or more IPsec SAs, which are used to protect the IPsec traffic. IKEv2 simplifies the IKE protocol by combining the two phases of IKEv1 into a single exchange. IKEv2 also supports more features, such as NAT traversal, EAP authentication, and MOBIKE. References :=

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: VPN Technologies, Lesson 3.1: Site-to-Site VPNs, Topic 3.1.1: IPsec VPNs

IPsec - Wikipedia

AH and ESP protocols - IBM

How TLS provides identification, authentication, confidentiality, and integrity - IBM

The WSA uses a root certificate and a private key to decrypt HTTPS traffic. The root certificate must reside in the trusted store of the WSA, and it must be able to sign server certificates on the fly. The server certificates that the WSA generates must contain a SAN (Subject Alternative Name) field, which specifies the hostnames or IP addresses that the certificate is valid for. The SAN field is required by modern browsers and applications to verify the identity of the server. If the WSA does not include a SAN field in the server certificate, the browser or application may reject the connection or display a warning message.

The other options are not correct because:

A. The current date is not a criterion for the WSA to use a certificate to decrypt application traffic. The WSA checks the validity period of the certificate, which includes the start date and the end date. The current date must be within the validity period, but it does not have to be the same as the start date or the end date.

C. The root certificate that the WSA uses to decrypt HTTPS traffic does not have to reside in the trusted store of the endpoint. However, the endpoint must trust the root certificate in order to accept the server certificate that the WSA generates. This can be achieved by manually installing the root certificate on the endpoint, or by using a group policy or a certificate management system to distribute the root certificate to the endpoints.

D. The root certificate that the WSA uses to decrypt HTTPS traffic does not have to be signed by an internal CA. The WSA can generate its own self-signed root certificate, or it can use a root certificate that is signed by an external CA. However, the root certificate must be trusted by the endpoints, as explained in option C.

References := : WSA Certificate Usage for HTTPS Decryption : [User Guide for AsyncOS 12.0 for Cisco Web Security Appliances - GD (General Deployment) - Create Decryption Policies to Control HTTPS Traffic]

DMVPN and sVTI are both VPN technologies that use IPsec to secure the tunnel traffic. However, they differ in how they establish and manage the tunnels. DMVPN supports dynamic tunnel establishment, which means that the VPN endpoints can create and delete tunnels on demand, based on the routing information. This allows for a scalable and flexible VPN topology, where the endpoints can communicate directly with each other without going through a central hub. sVTI, on the other hand, supports static tunnel establishment, which means that the VPN endpoints have to manually configure the tunnel source and destination addresses. This requires a one-to-one mapping between the endpoints, and limits the VPN topology to a hub-and-spoke model, where the endpoints can only communicate with the hub. Therefore, DMVPN is more suitable for large and dynamic VPN networks, while sVTI is more suitable for small and stable VPN networks. References:

[Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0], Module 5: Secure Connectivity, Lesson 5.2: Implementing Site-to-Site VPNs, Topic 5.2.3: Dynamic Multipoint VPN (DMVPN)

what is difference between svti and DVTI? - Cisco Community

Cisco Umbrella is a cloud-delivered security service that protects users from malicious domains and IPs, regardless of their location or network. When users are off the corporate network, they can use the Cisco Umbrella roaming client, which is embedded in the Cisco AnyConnect client, to enforce Umbrella DNS servers for all DNS queries. This way, Umbrella can block requests to malicious or unwanted domains before a connection is ever made, and provide visibility and protection for users anywhere they go. The Umbrella roaming client does not require any additional agents or end user action, and it can work with or without a VPN connection. References := Cisco Umbrella Roaming, Umbrella Roaming Client – How it Works on Your Company Network

Explanation

The syntax of this command is shown below:

snmp-server group [group-name {v1 | v2c | v3 [auth | noauth | priv]}] [read read-view] [write write-view] [notify notify-view] [access access-list]

The command above restricts which IP source addresses are allowed to access SNMP functions on the router. You could restrict SNMP access by simply applying an interface ACL to block incoming SNMP packets that don’t come from trusted servers. However, this would not be as effective as using the global SNMP commands shown in this recipe. Because you can apply this method once for the whole router, it is much simpler than applying ACLs to block SNMP on all interfaces separately. Also, using interface ACLs would block not only SNMP packets intended for this router, but also may stop SNMP packets that just happened to be passing through on their way to some other destination device.

Container orchestration is the automated process of organizing the functions of modular, containerized components that create the infrastructure of an application1. Container orchestration tools, such as Kubernetes, provide a framework for managing containers and microservices architecture at scale2. A feature of container orchestration is the ability to deploy Kubernetes clusters in air-gapped sites, which are isolated from the internet and other networks for security reasons3. Cisco Container Platform (CCP) is a solution that simplifies the deployment and management of Kubernetes clusters in any environment, including air-gapped sites4. CCP provides a data plane that runs on the Kubernetes nodes and handles the container networking, storage, and security. CCP also provides a control plane that runs on a separate management cluster and provides a web-based user interface and API for cluster operations. CCP supports the deployment of Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS) clusters on the data plane, but not on air-gapped sites. References: 1: What Is Container Orchestration? | AppDynamics 2: What is container orchestration? - Red Hat 3: Container orchestration for microservices - Azure Architecture Center 4: Cisco Container Platform Data Sheet : Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 5: Cloud and Network Security, Lesson 5.3: Cisco Cloud Security Solutions, Topic 5.3.2: Cisco Container Platform : Cisco Container Platform User Guide, Release 5.1, Chapter: Deploying Amazon ECS Clusters

Explanation

TAXII (Trusted Automated Exchange of Indicator Information) is a standard that provides a transport

A PAC file is a Proxy Auto-Configuration file that contains a JavaScript function that determines whether web browser requests go directly to the destination or are forwarded to a web proxy server. A PAC file allows the client desktop browsers to be configured to select when to connect direct or when to use the proxy based on the URL and the host name. A PAC file can be downloaded from a web server or a local file. A PAC file is more suitable for complex proxy configurations or multiple proxy servers12

A transparent mode is a proxy configuration where the client browsers do not need to be configured to use the proxy. The proxy intercepts the traffic and forwards it to the destination. A transparent mode does not allow the client browsers to select when to connect direct or when to use the proxy34

A forward file is not a valid proxy configuration method.

A bridge mode is a network configuration where a device connects two or more network segments and forwards traffic between them. A bridge mode is not a proxy configuration method5 References := 1: Proxy Auto-Configuration (PAC) file - HTTP | MDN 2: Proxy auto-config - Wikipedia 3: Explicit and Transparent Proxy - techdocs.broadcom.com 4: Configure Explicit Proxy - Palo Alto Networks | TechDocs 5: config web-proxy explicit | FortiGate / FortiOS 7.4.0

 IKEv1 is the authentication protocol that is reliable and supports ACK and sequence for IPsec VPN. IKEv1 is a key management protocol that is used in conjunction with IPsec to establish secure and authenticated connections between IPsec peers. IKEv1 uses UDP port 500 and consists of two phases: phase 1 and phase 2. In phase 1, the peers authenticate each other and negotiate a shared secret key that is used to encrypt the subsequent messages. In phase 2, the peers negotiate the security parameters for the IPsec tunnel, such as the encryption and authentication algorithms, the lifetime, and the mode (transport or tunnel). IKEv1 uses ACK and sequence numbers to ensure the reliability and integrity of the messages exchanged between the peers. ACK is an acknowledgment message that confirms the receipt of a previous message. Sequence number is a unique identifier that is assigned to each message to prevent replay attacks and to detect missing or out-of-order messages. IKEv1 also supports various authentication methods, such as pre-shared keys, digital certificates, and extended authentication (XAUTH). References : Internet Key Exchange for IPsec VPNs Configuration Guide, Security for VPNs with IPsec Configuration Guide, IPSec Architecture

Explanation

To understand DHCP snooping we need to learn about DHCP spoofing attack first.

DHCP spoofing is a type of attack in that the attacker listens for DHCP Requests from clients and answers them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP Response often gives its IP address as the client default gateway -> all the traffic sent from the client will go through the attacker computer, the attacker becomes a “man-in-the-middle”.

The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the attacker is “closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the DHCP Server so that it can’t send the DHCP Response.

DHCP snooping can prevent DHCP spoofing attacks. DHCP snooping is a Cisco Catalyst feature that

determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted.

Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of DHCP

messages. All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP response is seen on an untrusted port, the port is shut down.

The port connected to a DHCP server should be configured as trusted port with the “ip dhcp snooping trust” command. Other ports connecting to hosts are untrusted ports by default.

In this question, we need to configure the uplink to “trust” (under interface Gi1/0/1) as shown below.