Cisco CCNP Security 350-701 Questions & Answers

• Question 471:

  Which cloud service model offers an environment for cloud consumers to develop and deploy applications without needing to manage or maintain the underlying cloud infrastructure?

  A. PaaS

  B. XaaS

  C. IaaS

  D. SaaS

  Correct Answer: A

  Reference: CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide

• Question 472:

  What is a required prerequisite to enable malware file scanning for the Secure Internet Gateway?

  A. Enable IP Layer enforcement.

  B. Activate the Advanced Malware Protection license

  C. Activate SSL decryption.

  D. Enable Intelligent Proxy.

  Correct Answer: D

• Question 473:

  An engineer must force an endpoint to re-authenticate an already authenticated session without disrupting the endpoint to apply a new or updated policy from ISE. Which CoA type achieves this goal?

  A. Port Bounce

  B. CoA Terminate

  C. CoA Reauth

  D. CoA Session Query

  Correct Answer: C

• Question 474:

  Which ASA deployment mode can provide separation of management on a shared appliance?

  A. DMZ multiple zone mode

  B. transparent firewall mode

  C. multiple context mode

  D. routed mode

  Correct Answer: C

• Question 475:

  Refer to the exhibit.

  

  Which statement about the authentication protocol used in the configuration is true?

  A. The authentication request contains only a password

  B. The authentication request contains only a username

  C. The authentication and authorization requests are grouped in a single packet

  D. There are separate authentication and authorization request packets

  Correct Answer: C

  This command uses RADIUS which combines authentication and authorization in one function (packet).

• Question 476:

  Which information is required when adding a device to Firepower Management Center?

  A. username and password

  B. encryption method

  C. device serial number

  D. registration key

  Correct Answer: D

  https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Device_Management_Basics.html

• Question 477:

  How is DNS tunneling used to exfiltrate data out of a corporate network?

  A. It corrupts DNS servers by replacing the actual IP address with a rogue address to collect information or start other attacks.

  B. It encodes the payload with random characters that are broken into short strings and the DNS server rebuilds the exfiltrated data.

  C. It redirects DNS requests to a malicious server used to steal user credentials, which allows further damage and theft on the network.

  D. It leverages the DNS server by permitting recursive lookups to spread the attack to other DNS servers.

  Correct Answer: B

  Domain name system (DNS) is the protocol that translates human-friendly URLs, such as securitytut.com, into IP addresses, such as 183.33.24.13. Because DNS messages are only used as the beginning of each communication and they are not intended for data transfer, many organizations do not monitor their DNS traffic for malicious activity. As a result, DNS-based attacks can be effective if launched against their networks. DNS tunneling is one such attack.An example of DNS Tunneling is shown below:

  

  The attacker incorporates one of many open-source DNS tunneling kits into an authoritative DNSnameserver (NS) and malicious payload.2. An IP address (e.g. 1.2.3.4) is allocated from the attacker's infrastructure and a domain name (e.g. attackerdomain.com) is registered or reused. The registrar informs the top-level domain (.com) nameservers to refer requests for attackerdomain.com to ns.attackerdomain.com, which has a DNS record mapped to 1.2.3.43. The attacker compromises a system with the malicious payload. Once the desired data is obtained, the payload encodes the data as a series of 32 characters (0-9, A-Z) broken into short strings (3KJ242AIE9, P028X977W,...).4. The payload initiates thousands of unique DNS record requests to the attacker's domain with each string as Reference: https://learn-umbrella.cisco.com/i/775902-dns-tunneling/0

• Question 478:

  Where are individual sites specified to be blacklisted in Cisco Umbrella?

  A. application settings

  B. content categories

  C. security settings

  D. destination lists

  Correct Answer: D

  Reference: https://docs.umbrella.com/deployment-umbrella/docs/working-with-destination- lists

• Question 479:

  Which two are valid suppression types on a Cisco Next Generation Intrusion Prevention System? (Choose two)

  A. Port

  B. Rule

  C. Source

  D. Application

  E. Protocol

  Correct Answer: BC

• Question 480:

  Which VPN technology can support a multivendor environment and secure traffic between sites?

  A. SSL VPN

  B. GET VPN

  C. FlexVPN

  D. DMVPN

  Correct Answer: C

  FlexVPN is an IKEv2-based VPN technology that provides several benefits beyond traditional site-to-site VPN implementations. FlexVPN is a standards-based solution that can interoperate with non-Cisco IKEv2implementations. Therefore FlexVPN can support a multivendor environment. All of the three VPN technologies support traffic between sites (site-to-site or spoke-to-spoke).