Cisco 350-701 Practice Test - Questions Answers, Page 18

There are three basic categories of attack:

+ volume-based attacks, which use high traffic to inundate the network bandwidth + protocol attacks, which focus on exploiting server resources + application attacks, which focus on web applications and are considered the most sophisticated and serious type of attacks Reference: https://www.esecurityplanet.com/networks/types-of-ddosattacks/

The TLS connections are recorded in the mail logs, along with other significant actions that are related to messages, such as filter actions, anti-virus and anti-spam verdicts, and delivery attempts. If there is a successful TLS connection, there will be a TLS success entry in the mail logs. Likewise, a failed TLS connection produces a TLS failed entry. If a message does not have an associated TLS entry in the log file, that message was not delivered over a TLS connection.

Reference: https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118844-technoteesa-00.htmlThe exhibit in this Qshows a successful TLS connection from the remote host (reception) in the maillog.

The Mail Policies menu is where almost all of the controls related to email filtering happens. All the security and content filtering policies are set here, so it's likely that, as an ESA administrator, the pages on this menu are where you are likely to spend most of your time.

The Cisco Web Security Appliance (WSA) includes a web proxy, a threat analytics engine, antimalware engine, policy management, and reporting in a single physical or virtual appliance. The main use of the Cisco WSA is to protect users from accessing malicious websites and being infected by malware.

You can deploy the Cisco WSA in two different modes:

– Explicit forward mode

– Transparent mode

In explicit forward mode, the client is configured to explicitly use the proxy, subsequently sending all web traffic to the proxy. Because the client knows there is a proxy and sends all traffic to the proxy in explicit forward mode, the client does not perform a DNS lookup of the domain before requesting the URL. The Cisco WSA is responsible for DNS resolution, as well.

When you configure the Cisco WSA in explicit mode, you do not need to configure any other network infrastructure devices to redirect client requests to the Cisco WSA. However, you must configure each client to send traffic to the Cisco WSA.

-> Therefore in explicit mode, WSA only checks the traffic between client & web server. WSA does not use its own IP address to request -> Answer B is not correct.

When the Cisco WSA is in transparent mode, clients do not know there is a proxy deployed. Network infrastructure devices are configured to forward traffic to the Cisco WSA. In transparent mode deployments, network infrastructure devices redirect web traffic to the proxy. Web traffic redirection can be done using policybased routing (PBR)—available on many routers —or using Cisco's Web Cache Communication Protocol (WCCP) on Cisco ASA, Cisco routers, or switches.

The Web Cache Communication Protocol (WCCP), developed by Cisco Systems, specifies interactions between one or more switches) and one or more web-caches. The purpose of the interaction is to establish and maintain the transparent redirectio of traffic flowing through a group of routers.

Reference: https://www.cisco.com/c/en/us/tech/content-networking/web-cache-communicationsprotocol-wccp/index.html->Therefore answer D is correct as redirection can be done on Layer 3 device only.

In transparent mode, the client is unaware its traffic is being sent to a proxy (Cisco WSA) and, as a result, the client uses DNS to resolve the domain name in the URL and send the web request destined for the web server (not the proxy).

When you configure the Cisco WSA in transparent mode, you need to identify a network choke point with a redirection device (a Cisco ASA) to redirect traffic to the proxy.

WSA in Transparent mode

Reference: CCNP And CCIE Security Core SCOR 350-701 Official Cert Guide -> Therefore in Transparent mode, WSA uses its own IP address to initiate a new connection the Web Server (in step 4 above) -> Answer E is correct.

Answer C is surely not correct as WSA cannot be configured in a web browser in either mode.

Answer A seems to be correct but it is not. This answer is correct if it states "When the Cisco WSA is running in transparent mode, it uses the WSA's own IP address as the HTTP request source" (not destination).

URL conditions in access control rules allow you to limit the websites that users on your network can access. This feature is called URL filtering. There are two ways you can use access control to specify URLs you want to block (or, conversely, allow):

– With any license, you can manually specify individual URLs, groups of URLs, and URL lists and feeds to achieve granular, custom control over web traffic.

– With a URL Filtering license, you can also control access to websites based on the URL's general classification, or category, and risk level, or reputation. The system displays this category and reputation data in connection logs, intrusion events, and application details.

Using category and reputation data also simplifies policy creation and administration. It grants you assurance that the system will control web traffic as expected. Finally, because Cisco's threat intelligence is continually updated with new

URLs, as well as new categories and risks for existing URLs, you can ensure that the system uses up-to-date information to filter requested URLs. Malicious sites that represent security threats such as malware, spam, botnets, and phishing may appear and disappear faster than you can update and deploy new policies.

Reference:

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-configguidev60/Access_Control_Rules__URL_Filtering.html

Southbound APIs enable SDN controllers to dynamically make changes based on real-time demands and scalability needs.

Reference: https://www.ciscopress.com/articles/article.asp?p=3004581&seqNum=2

Note: Southbound APIs helps us communicate with data plane (not control plane) applications

If sysopt permit-vpn is not enabled then an access control policy must be created to allow the VPN traffic through the FTD device. If sysopt permit-vpn is enabled skip creating an access control policy.

Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ikeprotocols/215470- site-to-site-vpn-configuration-on-ftd-ma.html