DNS tunneling is a technique that encodes data of other programs and protocols in DNS queries, including data payloads that can be used to control a remote server and applications1. DNS exfiltration is a form of DNS tunneling that allows attackers to extract data from a compromised system by sending encoded DNS requests to a domain under their control2. The direction of the data transfer in DNS exfiltration is outbound, meaning from the victim’s network to the attacker’s network. This is different from inbound, which means from the attacker’s network to the victim’s network, or north-south and east-west, which are terms used to describe the traffic flow between different network segments or zones3. Outbound DNS requests are often allowed by default in many firewalls and network devices, making them an attractive channel for data exfiltration4. However, DNS exfiltration can be detected and prevented by using security solutions that monitor and analyze DNS traffic for anomalies and malicious patterns5.

 1: Improvements to DNS Tunneling & Exfiltration Detection - Cisco Umbrella 2: DNS Exfiltration & Tunneling: How it Works & DNSteal Demo Setup 3: What Is DNS Tunneling? - Palo Alto Networks 4: DNS Data Exfiltration and DNS Tunneling | Vercara 5: DNS Exfiltration: The Light at the End of the DNS Tunnel - site

Explanation

Explanation

Depending on your company policy, you might be able to use your mobile phones, tablets, printers, Internet radios, and other network devices on your company’s network. You can use the My Devices portal to register and manage these devices on your company’s network.

Explanation

Two-factor authentication adds a second layer of security to your online accounts. Verifying your identity using a

second factor (like your phone or other mobile device) prevents anyone but you from logging in, even if they

know your password.

Note: Single sign-on (SSO) is a property of identity and access management that enables users to securely

authenticate with multiple applications and websites by logging in only once with just one set of credentials

(username and password). With SSO, the application or website that the user is trying to access relies on a

trusted third party to verify that users are who they say they are.

Explanation

FlexVPN supports IKEv2 - > Answer A is not correct.

DMVPN supports both IKEv1 & IKEv2 - > Answer B is not correct.

FlexVPN support multiple SAs - > Answer D is not correct.

Cisco Container Platform (CCP) is a security product that enables administrators to deploy Kubernetes clusters in air-gapped sites without needing Internet access. CCP tenant images contain all the necessary binaries and don’t need internet access to function. CCP also supports offline installation and updates of the platform components. CCP is designed to simplify the deployment and management of containerized applications across hybrid cloud environments, while ensuring security and compliance. CCP integrates with Cisco security solutions such as Cisco Tetration and Cisco Stealthwatch Cloud to provide visibility and protection for Kubernetes clusters and workloads. CCP also leverages Cisco Intersight, a cloud-based management platform, to provide centralized monitoring and automation for CCP clusters. References:

Cisco Container Platform

350-701 SCOR Cisco CCNP Security Updated Questions in April

The WSA uses a root certificate and a private key to decrypt HTTPS traffic. The root certificate must reside in the trusted store of the WSA, and it must be able to sign server certificates on the fly. The server certificates that the WSA generates must contain a SAN (Subject Alternative Name) field, which specifies the hostnames or IP addresses that the certificate is valid for. The SAN field is required by modern browsers and applications to verify the identity of the server. If the WSA does not include a SAN field in the server certificate, the browser or application may reject the connection or display a warning message.

The other options are not correct because:

A. The current date is not a criterion for the WSA to use a certificate to decrypt application traffic. The WSA checks the validity period of the certificate, which includes the start date and the end date. The current date must be within the validity period, but it does not have to be the same as the start date or the end date.

C. The root certificate that the WSA uses to decrypt HTTPS traffic does not have to reside in the trusted store of the endpoint. However, the endpoint must trust the root certificate in order to accept the server certificate that the WSA generates. This can be achieved by manually installing the root certificate on the endpoint, or by using a group policy or a certificate management system to distribute the root certificate to the endpoints.

D. The root certificate that the WSA uses to decrypt HTTPS traffic does not have to be signed by an internal CA. The WSA can generate its own self-signed root certificate, or it can use a root certificate that is signed by an external CA. However, the root certificate must be trusted by the endpoints, as explained in option C.

References := : WSA Certificate Usage for HTTPS Decryption : [User Guide for AsyncOS 12.0 for Cisco Web Security Appliances - GD (General Deployment) - Create Decryption Policies to Control HTTPS Traffic]

 The monitoring agent uses the RTP (Real-time Transport Protocol) performance metric to collect and output packet loss and jitter information. RTP is a network protocol used for delivering audio and video over IP networks. It provides mechanisms for timestamping, sequence numbering, and delivery monitoring, which allow for the measurement of packet loss and jitter. RTP is specifically designed for real-time multimedia streaming applications, which are more sensitive to changes in the transmission characteristics of data networks than other applications. Therefore, RTP performance is a suitable metric for monitoring and collecting packet loss and jitter information.

The other options are not directly related to measuring packet loss and jitter. TCP (Transmission Control Protocol) is a transport protocol that ensures reliable and ordered delivery of data, but it is not typically used for real-time multimedia applications. WSAv (Web Security Virtual Appliance) is a Cisco solution for web security, but it does not measure packet loss and jitter. AVC (Application Visibility and Control) is a technology that monitors and controls network applications, but it does not focus on packet loss and jitter. References :=

Measuring Delay, Jitter, and Packet Loss with Cisco IOS SAA and RTTMON1

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.02

Cisco 350-701: Which metric used by monitoring agent to collect and output packet loss and jitter information?

 A SYN flood is a type of denial-of-service (DoS) attack that exploits the TCP three-way handshake process to exhaust the resources of a target server. The attacker sends a large number of SYN packets to the target server, each with a spoofed source IP address. The target server allocates resources for each incoming SYN packet and responds with a SYN-ACK packet to the spoofed address. However, the spoofed address never sends back the final ACK packet to complete the connection, leaving the target server with many half-open connections that eventually fill up its connection table. This prevents the target server from accepting new legitimate connections and causes service disruption123 References: 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 course overview 2: SYN Flood Explained. How to Prevent this Attack from Taking over your … 3: What is a SYN flood attack? | Cloudflare

To achieve the goal of excluding some servers from the VPN tunnel and accessing them directly, the engineer must modify the group policy that is applied to the remote access VPN users. The group policy contains the settings for split tunneling, which is a feature that allows the VPN client to route some traffic through the VPN tunnel and some traffic directly to the internet. Split tunneling can be configured based on the destination IP address, the application, or the domain name of the traffic. By modifying the group policy, the engineer can specify which servers or networks should be excluded from the VPN tunnel and accessed directly by the VPN client. This can improve the performance and efficiency of the VPN connection, as well as reduce the load on the VPN gateway and the corporate network. However, split tunneling also introduces some security risks, such as exposing the VPN client to internet threats, bypassing the corporate firewall and security policies, and leaking sensitive data. Therefore, the engineer must carefully evaluate the trade-offs and best practices of using split tunneling for remote access VPNs. References :=

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Secure Connectivity, Lesson 3.1: Implementing and Troubleshooting Remote Access VPN, Topic 3.1.4: Configure and Verify Remote Access VPN, Subtopic 3.1.4.2: Configure and Verify Split Tunneling

VPN Split Tunneling: What It Is & Pros and Cons

Cisco ASA - Enable Split Tunnel for Remote VPN Clients

 When adding a device to Firepower Management Center, you need to provide a registration key, which is a unique alphanumeric string that you create and enter on both the device and the Firepower Management Center. The registration key is used to authenticate the device and the Firepower Management Center to each other. You do not need to provide the username and password, encryption method, or device serial number when adding a device to Firepower Management Center1. References: 1: How to Manage a Device with the Firepower Management Center - Configure the Managed Device

Explanation

Private Network Monitoring (PNM) provides visibility and threat detection for the on-premises network, delivered from the cloud as a SaaS solution. It is the perfect solution for organizations who prefer SaaS products and desire better awareness and security in their on-premises environments while reducing capital expenditure and

operational overhead. It works by deploying lightweight software in a virtual machine or server that can

consume a variety of native sources of telemetry or extract metadata from network packet flow. It encrypts this metadata and sends it to the Stealthwatch Cloud analytics platform for analysis. Stealthwatch Cloud consumes metadata only. The packet payloads are never retained or transferred outside the network.

This lab focuses on how to configure a Stealthwatch Cloud Private Network Monitoring (PNM) Sensor, in order to provide visibility and effectively identify active threats, and monitors user and device behavior within onpremises networks.

The Stealthwatch Cloud PNM Sensor is an extremely flexible piece of technology, capable of being utilized in a number of different deployment scenarios. It can be deployed as a complete Ubuntu based virtual appliance on different hypervisors (e.g. –VMware, VirtualBox). It can be deployed on hardware running a number of different Linux-based operating systems.

Threat intelligence is the term for having information about threats and threat actors that helps mitigate harmful events that would otherwise compromise networks or systems. Threat intelligence is the result of collecting, analyzing, and contextualizing data from various sources, such as network traffic, logs, feeds, reports, etc. Threat intelligence provides insights into the tactics, techniques, and procedures (TTPs) of adversaries, as well as their motivations, intentions, and capabilities. Threat intelligence can help organizations to detect, prevent, and respond to cyberattacks, as well as to improve their security posture and resilience12. The other options are not correct, because they are not terms for having information about threats and threat actors. Trusted automated exchange is a concept that refers to the sharing of threat intelligence among trusted entities in a timely and secure manner3. Indicators of Compromise (IoCs) are pieces of forensic data, such as IP addresses, domains, hashes, etc., that indicate a potential intrusion or compromise of a system or network. The Exploit Database is a public repository of exploits and vulnerable software, maintained by Offensive Security. References:

1: What is Cyber Threat Intelligence? - Cisco

2: Cisco Talos Intelligence Group - Comprehensive Threat Intelligence

3: Trusted Automated Exchange of Intelligence Information (TAXII™) Version 2.0

[4]: What Are Indicators of Compromise (IOCs)? - Cisco

[5]: The Exploit Database - Exploits for Penetration Testers, Researchers, and Ethical Hackers

3DES is a symmetric-key block cipher that applies the DES algorithm three times to each data block. It was developed to improve the security of DES, which has a small key size and is vulnerable to brute-force attacks. 3DES encrypts traffic by using three different keys, each 56 bits long, to perform three rounds of encryption on the plaintext. The encryption process can be described as follows:

Encrypt the plaintext with the first key (K1).

Decrypt the result with the second key (K2).

Encrypt the result again with the third key (K3).

The final ciphertext is the output of the third encryption. The decryption process is the reverse of the encryption process, using the same keys in reverse order:

Decrypt the ciphertext with the third key (K3).

Encrypt the result with the second key (K2).

Decrypt the result again with the first key (K1).

The final plaintext is the output of the third decryption. 3DES is more secure than DES because it uses a longer effective key length of 168 bits (56 x 3), which makes brute-force attacks more difficult. However, 3DES is also slower than DES because it requires three times more computations. Moreover, 3DES has some weaknesses, such as the meet-in-the-middle attack, which can reduce the effective key length to 112 bits. Therefore, 3DES is not recommended for new applications and has been deprecated by NIST since 201712

References := 1: NIST Special Publication 800-67 Revision 2 Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher 2: What is 3DES encryption and how does DES work? | Comparitech