Explanation

Cisco ISE can determine the type of device or endpoint connecting to the network by performing “profiling.”

Profiling is done by using DHCP, SNMP, Span, NetFlow, HTTP, RADIUS, DNS, or NMAP scans to collect as

much metadata as possible to learn the device fingerprint.

NMAP (“Network Mapper”) is a popular network scanner which provides a lot of features. One of them is the

OUI (Organizationally Unique Identifier) information. OUI is the first 24 bit or 6 hexadecimal value of the MAC

address.

Note: DHCP probe cannot collect OUIs of endpoints. NMAP scan probe can collect these endpoint attributes:

+ EndPointPolicy

+ LastNmapScanCount

+ NmapScanCount

+ OUI

+ Operating-system

 ICMP is a protocol that is used to send diagnostic messages between hosts on a network. It is not designed to carry any data, but it can be abused by attackers to exfiltrate data from a compromised host. By encrypting the payload in an ICMP packet, the attacker can hide the data from network monitoring tools and firewalls that may not inspect ICMP traffic. The attacker can then use another tool to decrypt the data from the ICMP packets on a remote host. This technique is known as ICMP tunneling and it is a form of protocol tunneling (MITRE T1572: Protocol Tunneling1). References:

1: https://attack.mitre.org/techniques/T1572/

2: https://www.cynet.com/attack-techniques-hands-on/how-hackers-use-icmp-tunneling-to-own-your-network/

3: https://digital-security.quodagis.fr/ressources/ressource/exfiltration-de-donnees-les-techniques-icmp-et-dns-tunneling-855

Cisco Identity Services Engine (ISE) uses various probes to collect attributes of connected endpoints, such as device type, operating system, IP address, MAC address, and so on. These attributes are used to profile the endpoints and assign them to appropriate identity groups and policies. Two of the probes that can be configured to gather attributes of connected endpoints using Cisco ISE are RADIUS and DHCP.

RADIUS probe: The RADIUS probe collects attributes from the RADIUS packets that are exchanged between the network access devices (NADs) and the ISE Policy Service Nodes (PSNs) during the authentication and authorization process. The RADIUS probe can extract attributes such as username, calling-station-ID, NAS-IP-address, NAS-port-type, service-type, and so on. The RADIUS probe can also collect attributes from the RADIUS accounting packets that are sent by the NADs to the ISE PSNs after the session is established. The RADIUS probe can extract attributes such as session-ID, framed- IP-address, acct-session-time, and so on. The RADIUS probe is enabled by default and does not require any additional configuration on the NADs or the ISE PSNs.

DHCP probe: The DHCP probe collects attributes from the DHCP packets that are exchanged between the endpoints and the DHCP server during the IP address assignment process. The DHCP probe can extract attributes such as hostname, vendor-class-identifier, client-identifier, parameter-request-list, and so on. The DHCP probe can also collect attributes from the DHCP relay packets that are forwarded by the NADs to the ISE PSNs. The DHCP probe can extract attributes such as relay-agent-information and subscriber-ID. The DHCP probe requires some configuration on the NADs and the ISE PSNs. The NADs must be configured to relay or copy the DHCP packets to the ISE PSNs, and the ISE PSNs must be configured to receive the DHCP packets on a specific interface.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_assetvisibility_endpointprofiler.html

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_00.html

Multiple context mode allows you to partition a single ASA into multiple virtual firewalls, each with its own security policy, interfaces, and management IP address. This mode is useful for providing security services to different customers or tenants on a shared appliance, while maintaining separation of management and configuration. Each context acts as an independent device and can be in either routed or transparent mode. You can also assign different administrators to each context and limit their access to specific commands and features. Multiple context mode is supported in Cisco ACI with the ASA device package version 1.2 or later. References: 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/L4-L7_Service_Graph_Deployment_Guide/b_L4L7_Service_Graph_Deploy_ver122g/b_L4L7_Service_Graph_Deploy_ver122x_chapter_0110.pdf

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/intro-fw.html

the routing of traffic through the Cisco Umbrella network is to browse to http://welcome.umbrella.com/. This URL will display a message that confirms whether the new network identity is working or not. If the message says “You’re protected by Cisco Umbrella”, then the traffic is being routed correctly. If the message says “You’re not using Cisco Umbrella”, then the traffic is not being routed correctly and the configuration needs to be checked. The other options are not valid actions to test the routing. Option A is incorrect because the client computers should point to the Cisco Umbrella DNS servers, not the on-premises DNS servers. Option B is incorrect because the Intelligent Proxy is a feature that selectively intercepts and proxies web requests for deeper inspection, not a tool to test the routing. Option C is incorrect because adding the public IP address to a Core Identity is a way to identify the network, not a way to test the routing. References:

How To: Successfully test to ensure you’re running Umbrella correctly

Add a Network Identity

Wired 802.1X authentication is a port-based network access control that uses the physical characteristics of the switched LAN infrastructure to authenticate devices attached to a LAN port1. Wired 802.1X authentication requires three components: a supplicant, an authenticator, and an authentication server2. The supplicant is the client device that requests access to the network. The authenticator is the switch port that controls the access to the network based on the authentication result. The authentication server is the server that validates the credentials of the supplicant and sends the authentication result to the authenticator3.

In this question, option A is correct because Cisco Identity Service Engine (ISE) is an example of an authentication server that supports wired 802.1X authentication4. Option C is correct because Cisco Catalyst switch is an example of an authenticator that supports wired 802.1X authentication5. Option B is incorrect because Cisco AnyConnect ISE Posture module is not a supplicant, but a software component that checks the compliance status of the supplicant. Option D is incorrect because Cisco ISE is not an authenticator, but an authentication server. Option E is incorrect because Cisco Prime Infrastructure is not an authentication server, but a network management tool.

 1: Wired 802.1X Deployment Guide - Cisco 2: 802.1X Authenticated Wired Access Overview | Microsoft Learn 3: About 802.1X Authentication - Aruba 4: Cisco Identity Services Engine - Products & Services - Cisco 5: Cisco Catalyst 2960-X Series Switches - Products & Services - Cisco : Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.9 - Configure Posture [Cisco AnyConnect Secure Mobility Client] - Cisco : Cisco Prime Infrastructure - Products & Services - Cisco

A CoA request is a network protocol message used in the context of network access control and authentication systems. It is typically employed in scenarios where a user’s access privileges or attributes need to be modified during an active network session. CoA requests are commonly used in conjunction with the RADIUS protocol, which is widely used for managing user authentication and authorization in network environments. When a CoA request is initiated, it is sent by a network access server (NAS) to a RADIUS server to request a change in the user’s authorization state or attributes. The CoA request contains information specifying the desired change, such as granting additional access privileges, revoking existing privileges, modifying session parameters, or updating user attributes. The RADIUS server processes the CoA request and applies the necessary changes to the user’s session in real-time, allowing dynamic adjustments to the user’s authorization and network access. CoA requests are often utilized in scenarios where an administrator needs to promptly update a user’s access rights without requiring them to terminate their current session. This flexibility is particularly valuable in environments that demand fine-grained access control or where access privileges need to be adjusted based on changing circumstances or policies. References :=

Some possible references for this answer are:

RADIUS Change of Authorization - Cisco

What is a CoA Request? - Portnox

RADIUS Change of Authorization: Explained - Cloud RADIUS

Cisco Umbrella is a cloud-delivered and SaaS-based solution that provides DNS-layer security and web filtering for internet traffic. It blocks requests to malicious domains or IPs before a connection is even established, and logs and inspects all web traffic for greater transparency, control, and protection1.

However, not all domains or IPs are clearly malicious or benign. Some of them may be risky, meaning that they host both legitimate and malicious content, or that they have a low reputation score based on various factors. For these domains or IPs, Cisco Umbrella offers the option to proxy the traffic through the intelligent proxy, which is a selective web proxy that performs deeper inspection and analysis of the web content2.

The intelligent proxy can apply URL filtering, file inspection, and file type control to the proxied traffic, and block or allow it based on the policy settings. The intelligent proxy can also leverage Cisco Advanced Malware Protection (AMP) and antivirus engines to scan files for malware and threats3.

Therefore, by using the intelligent proxy, Cisco Umbrella can manage traffic that is directed toward risky domains more effectively, and provide an additional layer of security and visibility for the organization.

References :=

Manage the Intelligent Proxy

Manage File Inspection

Cisco Umbrella At a Glance

A Trojan malware attack is a type of malicious code or software that disguises itself as a legitimate program or file to trick users into executing it. Once executed, the Trojan can perform various harmful actions on the infected system or network, such as stealing data, deleting files, or installing other malware. There are different types of Trojan malware attacks, depending on their purpose and behavior. Two common types are:

Rootkit: A rootkit is a type of Trojan that hides itself and other malware from detection and removal by antivirus software or system tools. A rootkit can modify the operating system or the firmware of the device to gain persistent and privileged access to the system. A rootkit can also intercept and manipulate system calls, network traffic, or user input to conceal its activities or redirect them to malicious servers.

Backdoor: A backdoor is a type of Trojan that creates a secret or unauthorized access point to the infected system or network. A backdoor can allow an attacker to remotely control the system, execute commands, upload or download files, or monitor the system activity. A backdoor can also be used to install other malware or launch further attacks on other systems or networks.