Cisco CCNP Security 350-701 Questions & Answers

• Question 401:

  Which method is used to deploy certificates and configure the supplicant on mobile devices to gain access to network resources?

  A. BYOD on boarding

  B. Simple Certificate Enrollment Protocol

  C. Client provisioning

  D. MAC authentication bypass

  Correct Answer: A

  Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2- 4/admin_guide/b_ISE_admin_guide_24/m_ise_devices_byod.html

• Question 402:

  What is the benefit of installing Cisco AMP for Endpoints on a network?

  A. It provides operating system patches on the endpoints for security.

  B. It provides flow-based visibility for the endpoints network connections.

  C. It enables behavioral analysis to be used for the endpoints.

  D. It protects endpoint systems through application control and real-time scanning

  Correct Answer: D

• Question 403:

  What is a difference between DMVPN and sVTI?

  A. DMVPN supports tunnel encryption, whereas sVTI does not.

  B. DMVPN supports dynamic tunnel establishment, whereas sVTI does not.

  C. DMVPN supports static tunnel establishment, whereas sVTI does not.

  D. DMVPN provides interoperability with other vendors, whereas sVTI does not.

  Correct Answer: B

• Question 404:

  Which attack type attempts to shut down a machine or network so that users are not able to access it?

  A. smurf

  B. bluesnarfing

  C. MAC spoofing

  D. IP spoofing

  Correct Answer: A

  Denial-of-service (DDoS) aims at shutting down a network or service, causing it to be inaccessible to itsintended users.The Smurf attack is a DDoS attack in which large numbers of Internet Control Message Protocol (ICMP)packets with the intended victim's spoofed source IP are broadcast to a computer network using an IPbroadcast address.

• Question 405:

  In which situation should an Endpoint Detection and Response solution be chosen versus an Endpoint Protection Platform?

  A. when there is a need for traditional anti-malware detection

  B. when there is no need to have the solution centrally managed

  C. when there is no firewall on the network

  D. when there is a need to have more advanced detection capabilities

  Correct Answer: D

  Endpoint protection platforms (EPP) prevent endpoint security threats like known and unknown malware.Endpoint detection and response (EDR) solutions can detect and respond to threats that your EPP and other security tools did not catch.EDR and EPP have similar goals but are designed to fulfill different purposes. EPP is designed to providedevice-level protection by identifying malicious files, detecting potentially malicious activity, and providing tools for incident investigation and response.The preventative nature of EPP complements proactive EDR. EPP acts as the first line of defense, filtering out attacks that can be detected by the organization's deployed security solutions. EDR acts as a second layer of protection, enabling security analysts to perform threat hunting and identify more subtle threats to the endpoint.Effective endpoint defense requires a solution that integrates the capabilities of both EDR and EPP to provide protection against cyber threats without overwhelming an organization's security team.

• Question 406:

  With which components does a southbound API within a software-defined network architecture communicate?

  A. controllers within the network

  B. applications

  C. appliances

  D. devices such as routers and switches

  Correct Answer: D

  

  The Southbound API is used to communicate between Controllers and network devices.

• Question 407:

  Which factor must be considered when choosing the on-premise solution over the cloud- based one?

  A. With an on-premise solution, the provider is responsible for the installation and maintenance of the product, whereas with a cloud-based solution, the customer is responsible for it

  B. With a cloud-based solution, the provider is responsible for the installation, but the customer is responsible for the maintenance of the product.

  C. With an on-premise solution, the provider is responsible for the installation, but the customer is responsible for the maintenance of the product.

  D. With an on-premise solution, the customer is responsible for the installation and maintenance of the product, whereas with a cloud-based solution, the provider is responsible for it.

  Correct Answer: D

• Question 408:

  An organization is using Cisco Firepower and Cisco Meraki MX for network security and needs to centrally manage cloud policies across these platforms. Which software should be used to accomplish this goal?

  A. Cisco Defense Orchestrator

  B. Cisco Secureworks

  C. Cisco DNA Center

  D. Cisco Configuration Professional

  Correct Answer: A

  Reference: https://www.cisco.com/c/en/us/products/collateral/security/defense- orchestrator/datasheet-c78-736847.html

• Question 409:

  What is a functional difference between a Cisco ASA and a Cisco IOS router with Zone- based policy firewall?

  A. The Cisco ASA denies all traffic by default whereas the Cisco IOS router with Zone- Based Policy Firewall starts out by allowing all traffic, even on untrusted interfaces

  B. The Cisco IOS router with Zone-Based Policy Firewall can be configured for high availability, whereas the Cisco ASA cannot

  C. The Cisco IOS router with Zone-Based Policy Firewall denies all traffic by default, whereas the Cisco ASA starts out by allowing all traffic until rules are added

  D. The Cisco ASA can be configured for high availability whereas the Cisco IOS router with Zone-Based Policy Firewall cannot

  Correct Answer: C

• Question 410:

  A network engineer has been tasked with adding a new medical device to the network. Cisco ISE is being used as the NAC server, and the new device does not have a supplicant available. What must be done in order to securely connect this device to the network?

  A. Use MAB with profiling

  B. Use MAB with posture assessment.

  C. Use 802.1X with posture assessment.

  D. Use 802.1X with profiling.

  Correct Answer: A

  Reference: https://community.cisco.com/t5/security-documents/ise-profiling-design- guide/ta-p/3739456