Cisco 350-701 - Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)

 Split tunneling is a feature that allows VPN users to access both the corporate network and the internet at the same time. By using split tunneling, only the traffic destined for the 10.0.0.0/24 network will be encrypted and sent through the VPN tunnel, while the rest of the traffic will be sent directly to the internet. This reduces the VPN bandwidth load on the headend Cisco ASA and ensures that bandwidth is available for VPN users needing access to corporate resources. Split tunneling can be configured on the ASA by using the split-tunnel-network-list value command under the group-policy attributes. The network list should include the 10.0.0.0/24 network as the only entry. References: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 5: Secure Connectivity, Lesson 5.1: Implementing Site-to-Site VPNs on Cisco Routers and ASA Firewalls, Topic 5.1.3: Configuring Site-to-Site VPNs on Cisco ASA Firewalls, Subtopic 5.1.3.2: Configuring Split Tunneling.

The correct command to log all events to a destination collector is flow-export event-type all destination 209.165.201.10. This command configures a flow-export action that sends all NSEL events to the specified IP address. NSEL events include flow-create, flow-teardown, flow-denied, and flow-update events. The command must be entered in the policy-map class configuration mode, after defining a policy-map and a class-map that match the traffic and event type. The other commands are incorrect because they either specify the wrong event type (flow-update instead of all) or the wrong destination IP address (209.165.201 instead of 209.165.201.10). References :=

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 5: Securing the Cloud, Lesson 5.2: DNS Security

Cisco Secure Firewall ASA NetFlow Implementation Guide

Configuring Cisco ASA for NetFlow Export via CLI – Plixer

Joining Cisco WSAs to an appliance group simplifies the task of patching multiple appliances. An appliance group is a collection of WSAs that share the same configuration settings and software versions. Administrators can use appliance groups to apply configuration changes and software updates to multiple WSAs at once, instead of performing these tasks individually for each appliance12. This reduces the administrative overhead and ensures consistency across the WSAs. References:

Appliance groups, section “Appliance Groups”.

What is the purpose of joining Cisco WSAs to an appliance group?

 Cisco Duo is a multi-factor authentication (MFA) solution that verifies the identity of all users with Duo’s easy, one-tap-approval MFA app. It also provides device visibility and adaptive policies to ensure that only trusted devices can access corporate applications and networks. Some of the benefits of using Cisco Duo as an MFA solution are:

It provides a simple and streamlined login experience for multiple applications and users. Users can access all their applications from a single dashboard, and authenticate with a simple push notification or other convenient methods. Duo also supports single sign-on (SSO) for integrated applications, reducing the need for multiple passwords and logins12.

It offers native integration that helps secure applications across multiple cloud platforms or on-premises environments. Duo can be easily integrated with most major apps and custom applications, enabling a secure access solution that can be implemented with minimal IT involvement. Duo also supports various protocols and standards, such as SAML, RADIUS, LDAP, and WebAuthn, to enable seamless integration with different environments13.

 1: Multi-Factor Authentication (MFA) | Duo Security 2: Multi-Factor Authentication (MFA) | Duo Security - Cisco 3: What Is Duo? Two-Factor Authentication From Cisco - Cisco

 The open standard that creates a framework for sharing threat intelligence in a machine-digestible format is STIX (Structured Threat Information Expression). STIX is a language and serialization format that enables the exchange of cyber threat information across organizations, tools, and platforms. STIX defines a common vocabulary and data model for representing various types of threat intelligence, such as indicators, observables, incidents, campaigns, threat actors, courses of action, and more. STIX also supports the expression of context, relationships, confidence, and handling of the threat information. STIX aims to improve the speed, accuracy, and efficiency of threat detection, analysis, and response.

STIX is often used in conjunction with TAXII (Trusted Automated Exchange of Indicator Information), which is a protocol and transport mechanism that enables the secure and automated communication of STIX data. TAXII defines how to request, send, receive, and store STIX data using standard methods and formats, such as HTTPS, JSON, and XML. TAXII supports various exchange models, such as hub-and-spoke, peer-to-peer, or subscription-based. TAXII enables the interoperability and scalability of threat intelligence sharing among different systems and organizations.

Explanation

Explanation

Cisco standard NetFlow version 5 defines a flow as a unidirectional sequence of packets that all share seven values which define a unique key for the flow:

+ Ingress interface (SNMP ifIndex)

+ Source IP address

+ Destination IP address

+ IP protocol

+ Source port for UDP or TCP, 0 for other protocols

+ Destination port for UDP or TCP, type and code for ICMP, or 0 for other protocols

+ IP Type of Service

Note: A flow is a unidirectional series of packets between a given source and destination.

 Cisco Cloudlock is a cloud-native security solution that secures public, private, hybrid, and community clouds. It provides visibility, compliance, threat protection, and data security for cloud applications and environments. Cisco Cloudlock integrates with various cloud platforms and services, such as AWS, Azure, Google Cloud, Office 365, Salesforce, Dropbox, and more. Cisco Cloudlock monitors user activities, configurations, and sensitive data across the cloud, and alerts or blocks any violations of policies or regulations. Cisco Cloudlock also leverages user and entity behavior analytics (UEBA) to detect and respond to anomalous or malicious behaviors in the cloud. Cisco Cloudlock helps organizations protect their cloud assets and data, while enabling them to embrace the benefits of cloud computing. References :=

Cloud and Application Security - Cisco

Cloud Security Products and Solutions - Cisco

What Is Cloud Security? - Cisco

[Cisco Cloudlock: Cloud-Native CASB and Cloud Cybersecurity Platform]

 Cisco ISE supports two types of WebAuth for BYOD: central WebAuth and local WebAuth. Central WebAuth is the default method and it uses the ISE portal to authenticate the users and redirect them to the BYOD portal. Local WebAuth is an alternative method that uses the network access device (NAD) portal to authenticate the users and then redirects them to the ISE BYOD portal. Both methods require the configuration of a guest component on ISE, which is used to create the BYOD portal and the guest user accounts. The guest component also provides the self-service onboarding and registration features for the BYOD users. The dual component is not related to BYOD, but rather to the dual-SSID method, which uses two separate SSIDs for provisioning and access. The null WebAuth component is not a valid option for BYOD. References :=

Some possible references are:

Cisco ISE BYOD Prescriptive Deployment Guide

Configure Single SSID Wireless BYOD on Windows and ISE

Cisco ISE for BYOD and Secure Unified Access, 2nd Edition

Contextual awareness is the ability to collect and analyze information about the network environment, such as users, devices, applications, threats, and vulnerabilities, and use it to enhance security policies and actions. Cisco Firepower is a network security device that supports contextual awareness by providing real-time visibility into network traffic and activity, security intelligence from Cisco Talos and other sources, and advanced threat protection with Cisco AMP and sandboxing. Cisco Firepower can also leverage Cisco pxGrid to share contextual data with other security solutions, such as SIEM and TD platforms, to enable faster and more accurate threat detection and response123 References := 1: Cisco Firepower NGIPS Data Sheet - Cisco 2: Cisco Identity Services Engine with Integrated Security Information and Event Management and Threat Defense Platforms At-a-Glance - Cisco 3: A Visibility-Driven Approach to Next-Generation Firewalls

Explanation

A posture policy is a collection of posture requirements, which are associated with one or more identity groups, and operating systems. We can configure ISE to check for the Windows patch at Work Centers > Posture > Posture Elements > Conditions > File.

In this example, we are going to use the predefined file check to ensure that our Windows 10 clients have the critical security patch installed to prevent the Wanna Cry malware; and we can also configure ISE to update the client with this patch.

Explanation

Explanation

Cisco Security Manager provides a comprehensive management solution for:

– Cisco ASA 5500 Series Adaptive Security Appliances

– Cisco intrusion prevention systems 4200 and 4500 Series Sensors

– Cisco AnyConnect Secure Mobility Client

Explanation

A trusted CA is the only entity that can issue trusted digital certificates. This is extremely important because while PKI manages more of the encryption side of these certificates, authentication is vital to understanding which entities own what keys. Without a trusted CA, anyone can issue their own keys, authentication goes out the window and chaos ensues.