CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023)

Preview (31 of 837 Pages)

100%

CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023) - Page 1 preview image

Loading page ...

CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023) - Page 2 preview image

Loading page ...

CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023) - Page 3 preview image

Loading page ...

Companion Website and Pearson Test PrepAccess CodeAccess interactive study tools on this book’s companion website, including practice test software,review exercises, a Key Term flash card application, a study planner, and more!To access the companion website, simply follow these steps:1.Go tociscopress.com/register.2.Enter theprint book ISBN:9780138221263.3.Answer the security question to validate your purchase.4.Go to your account page.5.Click on theRegistered Productstab.6.Under the book listing, click on theAccess Bonus Contentlink.When you register your book, your Pearson Test Prep practice test access code will automaticallybe populated in your account under the Registered Products tab. You will need this code to accessthe practice test that comes with this book. You can redeem the code atPearsonTestPrep.com.Simply choose Pearson IT Certification as your product group and log in to the site with the samecredentials you used to register your book. Click theActivate New Productbutton and enter theaccess code. More detailed instructions on how to redeem your access code for both the onlineand desktop versions can be found on the companion website.If you have any issues accessing the companion website or obtaining your PearsonTest Prep practice test access code, you can contact our support team by going topearsonitp.echelp.org.

CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023) - Page 4 preview image

Loading page ...

This page intentionally left blank

CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023) - Page 5 preview image

Loading page ...

Cisco PressHoboken, New JerseyCCNP andCCIESecurityCoreSCOR 350-701OfficialCert Guide,2nd EditionOMAR SANTOS

CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023) - Page 6 preview image

Loading page ...

ivCCNP and CCIE Security Core SCOR 350-701 Official Cert GuideCCNP and CCIE Security CoreSCOR 350-701 Official Cert Guide,2nd EditionOmar SantosCopyright © 2024 Cisco Systems, Inc.Published by:Cisco PressAll rights reserved. This publication is protected by copyright, and permission must be obtained from thepublisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any formor by any means, electronic, mechanical, photocopying, recording, or likewise. For information regardingpermissions, request forms, and the appropriate contacts within the Pearson Education Global Rights &Permissions Department, please visit www.pearson.com/permissions.No patent liability is assumed with respect to the use of the information contained herein. Althoughevery precaution has been taken in the preparation of this book, the publisher and author assume noresponsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use ofthe information contained herein.$PrintCodeLibrary of Congress Control Number: 2023914718ISBN-13: 978-0-13-822126-3ISBN-10: 0-13-822126-XWarning and DisclaimerThis book is designed to provide information about the Implementing and Operating Cisco Security CoreTechnologies (SCOR 350-701) exam. Every effort has been made to make this book as complete and accu-rate as possible, but no warranty or fitness is implied. The information provided is on an “as is” basis. Theauthor and the publisher shall have neither liability nor responsibility to any person or entity with respectto any loss or damages arising from the information contained in this book or from the use of the supple-mental online content or programs accompanying it.Trademark AcknowledgmentsAll terms mentioned in this book that are known to be trademarks or service marks have been appropri-ately capitalized. Cisco Press cannot attest to the accuracy of this information. Use of a term in this bookshould not be regarded as affecting the validity of any trademark or service mark.Special SalesFor information about buying this title in bulk quantities, or for special sales opportunities (which mayinclude electronic versions; custom cover designs; and content particular to your business, training goals,marketing focus, or branding interests), please contact our corporate sales department at corpsales@pear-soned.com or (800) 382-3419.For government sales inquiries, please contact governmentsales@pearsoned.com.For questions about sales outside the U.S., please contact intlcs@pearson.com.

CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023) - Page 7 preview image

Loading page ...

vFeedback InformationAt Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each bookis crafted with care and precision, undergoing rigorous development that involves the unique expertise ofmembers from the professional technical community.Readers’ feedback is a natural continuation of this process. If you have any comments regarding how wecould improve the quality of this book, or otherwise alter it to better suit your needs, you can contact usthrough email at feedback@ciscopress.com. Please make sure to include the book title and ISBN in yourmessage.We greatly appreciate your assistance.Vice President, IT Professional:Mark TaubCopy Editors:Bart Reed and Chuck HutchinsonDirector, ITP Product Management:Brett BartowAlliances Manager, Cisco Press:Jaci Featherly;James RislerTechnical Editor:John StuppiExecutive Editor:James ManlyDesigner:Chuti PrasertsithManaging Editor:Sandra SchroederComposition:codeMantraDevelopment Editor:Christopher A. ClevelandIndexer:Erika MillenSenior Project Editor:Mandie FrankProofreader:Donna E. MulderEditorial Assistant:Cindy TeetersAmericas HeadquartersCisco Systems, Inc.San Jose, CAAsia Pacific HeadquartersCisco Systems (USA) Pte. Ltd.SingaporeEurope HeadquartersCisco Systems International BV Amsterdam,The NetherlandsCisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website atwww.cisco.com/go/offices.Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, goto this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not implya partnership relationship between Cisco and any other company. (1110R)Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks,go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner doesnot imply a partnership relationship between Cisco and any other company. (1110R)Americas HeadquartersCisco Systems, Inc.San Jose, CAAsia Pacific HeadquartersCisco Systems (USA) Pte. Ltd.SingaporeEurope HeadquartersCisco Systems International BV Amsterdam,The NetherlandsCisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website atwww.cisco.com/go/offices.

CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023) - Page 8 preview image

Loading page ...

viCCNP and CCIE Security Core SCOR 350-701 Official Cert GuidePearson’s Commitment to Diversity, Equity,and InclusionPearson is dedicated to creating bias-free content that reflects the diversity of all learners.We embrace the many dimensions of diversity, including but not limited to race, ethnic-ity, gender, socioeconomic status, ability, age, sexual orientation, and religious or politicalbeliefs.Education is a powerful force for equity and change in our world. It has the potential todeliver opportunities that improve lives and enable economic mobility. As we work withauthors to create content for every product and service, we acknowledge our responsibil-ity to demonstrate inclusivity and incorporate diverse scholarship so that everyone canachieve their potential through learning. As the world’s leading learning company, we havea duty to help drive change and live up to our purpose to help more people create abetter life for themselves and to create a better world.Our ambition is to purposefully contribute to a world where■Everyone has an equitable and lifelong opportunity to succeed through learning■Our educational products and services are inclusive and represent the rich diversityof learners■Our educational content accurately reflects the histories and experiences of thelearners we serve■Our educational content prompts deeper discussions with learners and motivatesthem to expand their own learning (and worldview)While we work hard to present unbiased content, we want to hear from you about anyconcerns or needs with this Pearson product so that we can investigate and address them.Please contact us with concerns about any potential bias at https://www.pearson.com/report-bias.html.

CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023) - Page 9 preview image

Loading page ...

viiCreditsFigure 1-4: United States Department of DefenseFigure 1-6: Webgoat SQL InjectionFigure 1-1, Figure 1-2: OffSec Services LimitedFigure 3-27-Figure 3-30: Python Software FoundationFigure 9-11: Amazon Web ServicesFigure 9-14-Figure 9-16: Docker IncFigure 9-19-Figure 9-21: Google IncFigure 10-2: Apple Inc

CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023) - Page 10 preview image

Loading page ...

viiiCCNP and CCIE Security Core SCOR 350-701 Official Cert GuideAbout the AuthorOmar Santosis a cybersecurity thought leader with a passion for driving industry-wideinitiatives to enhance the security of critical infrastructures. Omar is the lead of theDEF CON Red Team Village, the chair of the Common Security Advisory Framework(CSAF) technical committee, and board member of the OASIS Open standardsorganization. Omar’s collaborative efforts extend to numerous organizations, includingthe Forum of Incident Response and Security Teams (FIRST) and the Industry Consor-tium for Advancement of Security on the Internet (ICASI).Omar is a renowned expert in ethical hacking, vulnerability research, incident response,and AI security. He employs his deep understanding of these disciplines to help orga-nizations stay ahead of emerging threats. His dedication to cybersecurity has made asignificant impact on businesses, academic institutions, law enforcement agencies, andother entities striving to bolster their security measures. Omar is currently leading severalArtificial Intelligence (AI) security research efforts at the Cisco Security and TrustOrganization (STO).With over twenty books, video courses, white papers, and technical articles under hisbelt, Omar’s expertise is widely recognized and respected. As a principal engineer atCisco’s Product Security Incident Response Team (PSIRT), Omar not only leads engineersand incident managers in investigating and resolving cybersecurity vulnerabilities, butalso actively mentors the next generation of security professionals. You can follow Omaron Twitter @santosomar.

CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023) - Page 11 preview image

Loading page ...

ixAbout the Technical ReviewerJohn Stuppi, CCIE No. 11154, is a Technical Leader in the Security & Trust Organization(S&TO) at Cisco where he consults Cisco customers on protecting their networks againstexisting and emerging cyber security threats, risks, and vulnerabilities. Current projectsinclude working with newly acquired entities to integrate them into Cisco’s PSIRTVulnerability Management processes and advising some of Cisco’s most strategic custom-ers on vulnerability management and risk assessment. John has presented multiple timeson various network security topics at Cisco Live, Black Hat, as well as other customer-facing cyber security conferences. John is also the co-author of theCCNA Security210-260 Official Cert Guidepublished by Cisco Press. Additionally, John has contrib-uted to the Cisco Security Portal through the publication of white papers, Security Blogposts, and Cyber Risk Report articles. Prior to joining Cisco, John worked as a networkengineer for JPMorgan and then as a network security engineer at Time, Inc., with bothpositions based in New York City. John is also a CISSP (#25525) and holds AWS CloudPractitioner and Information Systems Security (INFOSEC) Professional Certifications. Inaddition, John has a BSEE from Lehigh University and an MBA from Rutgers University.John splits his time between Eatontown, New Jersey and Clemson, South Carolina withhis wife, son, daughter, and his dog.

CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023) - Page 12 preview image

Loading page ...

xCCNP and CCIE Security Core SCOR 350-701 Official Cert GuideDedicationI would like to dedicate this book to my lovely wife, Jeannette, and my two beautifulchildren, Hannah and Derek, who have inspired and supported me throughout thedevelopment of this book.

CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023) - Page 13 preview image

Loading page ...

xiAcknowledgmentsI would like to thank the technical editor and my good friend, John Stuppi, for his timeand technical expertise.I would like to thank the Cisco Press team, especially James Manly and ChristopherCleveland, for their patience, guidance, and consideration.Finally, I would like to thank Cisco and the Cisco Product Security Incident ResponseTeam (PSIRT), Security and Trust Organization for enabling me to constantly learn andachieve many goals throughout all these years.

CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023) - Page 14 preview image

Loading page ...

xiiCCNP and CCIE Security Core SCOR 350-701 Official Cert GuideContents at a GlanceIntroductionxxxiChapter 1Cybersecurity Fundamentals2Chapter 2Cryptography80Chapter 3Software-Defined Networking Security and NetworkProgrammability110Chapter 4Authentication, Authorization, Accounting (AAA) and IdentityManagement156Chapter 5Network Visibility and Segmentation232Chapter 6Infrastructure Security316Chapter 7Cisco Secure Firewall410Chapter 8Virtual Private Networks (VPNs)490Chapter 9Securing the Cloud578Chapter 10Content Security638Chapter 11Endpoint Protection and Detection672Chapter 12Final Preparation696Chapter 13CCNP and CCIE Security Core SCOR (350-701) Exam Updates698Appendix AAnswers to the “Do I Know This Already?” Quizzes and Q&ASections702Glossary714Index732Online ElementAppendix BStudy Planner

CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023) - Page 15 preview image

Loading page ...

xiiiContentsIntroductionxxxiChapter 1Cybersecurity Fundamentals2“Do I Know This Already?” Quiz3Foundation Topics6Introduction to Cybersecurity6Cybersecurity vs. Information Security (InfoSec)6The NIST Cybersecurity Framework7Additional NIST Guidance and Documents7The International Organization for Standardization (ISO)8Defining What Are Threats, Vulnerabilities, and Exploits8What Is a Threat?8What Is a Vulnerability?9What Is an Exploit?10Risk, Assets, Threats, and Vulnerabilities12Defining Threat Actors13Understanding What Threat Intelligence Is14Viruses and Worms16Types and Transmission Methods16Malware Payloads17Trojans18Trojan Types18Trojan Ports and Communication Methods19Trojan Goals20Trojan Infection Mechanisms21Effects of Trojans22Distributing Malware22Ransomware23Covert Communication24Keyloggers26Spyware27Analyzing Malware28Static Analysis28Dynamic Analysis29

CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023) - Page 16 preview image

Loading page ...

xivCCNP and CCIE Security Core SCOR 350-701 Official Cert GuideCommon Software and Hardware Vulnerabilities31Injection Vulnerabilities31SQL Injection31HTML Injection33Command Injection33Authentication-based Vulnerabilities33Credential Brute-Force Attacks and Password Cracking34Session Hijacking35Default Credentials35Insecure Direct Object Reference Vulnerabilities35Cross-site Scripting (XSS)36Cross-site Request Forgery38Server-side Request Forgery38Cookie Manipulation Attacks39Race Conditions39Unprotected APIs39Typical Attacks Against Artificial Intelligence (AI) and MachineLearning40Return-to-LibC Attacks and Buffer Overflows41OWASP Top 1042Security Vulnerabilities in Open-Source Software42Confidentiality, Integrity, and Availability43What Is Confidentiality?43What Is Integrity?45What Is Availability?46Talking About Availability, What Is a Denial-of-Service (DoS) Attack?46Access Control Management48Cloud Security Threats50Cloud Computing Issues and Concerns51Cloud Computing Attacks53Cloud Computing Security53IoT Security Threats54IoT Protocols56Hacking IoT Implementations57An Introduction to Digital Forensics and Incident Response58ISO/IEC 27002:2013 and NIST Incident Response Guidance58What Is an Incident?59

CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023) - Page 17 preview image

Loading page ...

Contents xvFalse Positives, False Negatives, True Positives, and True Negatives60Incident Severity Levels60How Are Incidents Reported?61What Is an Incident Response Program?62The Incident Response Plan62The Incident Response Process63Tabletop Exercises and Playbooks65Information Sharing and Coordination66Computer Security Incident Response Teams67Product Security Incident Response Teams (PSIRTs)69The Common Vulnerability Scoring System (CVSS)69The Stakeholder-Specific Vulnerability Categorization (SSVC)73National CSIRTs and Computer Emergency Response Teams (CERTs)74Coordination Centers74Incident Response Providers and Managed Security Service Providers(MSSPs)75Key Incident Management Personnel75Summary76Exam Preparation Tasks76Review All Key Topics76Define Key Terms78Review Questions78Chapter 2Cryptography80“Do I Know This Already?” Quiz80Foundation Topics82Introduction to Cryptography82Ciphers82Keys83Block and Stream Ciphers84Symmetric and Asymmetric Algorithms84Hashes86Hashed Message Authentication Code89Digital Signatures90Key Management92Next-Generation Encryption Protocols92IPsec93

CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023) - Page 18 preview image

Loading page ...

xviCCNP and CCIE Security Core SCOR 350-701 Official Cert GuidePost-Quantum Cryptography93SSL and TLS95Fundamentals of PKI97Public and Private Key Pairs97More About Keys and Digital Certificates97Certificate Authorities98Root Certificates99Identity Certificates101X.500 and X.509v3101Authenticating and Enrolling with the CA102Public Key Cryptography Standards103Simple Certificate Enrollment Protocol103Revoking Digital Certificates103Digital Certificates in Practice104PKI Topologies105Single Root CA105Hierarchical CA with Subordinate CAs105Cross-Certifying CAs106Exam Preparation Tasks106Review All Key Topics106Define Key Terms107Review Questions107Chapter 3Software-Defined Networking Security and NetworkProgrammability110“Do I Know This Already?” Quiz110Foundation Topics112Software-Defined Networking (SDN) and SDN Security112Traditional Networking Planes113So What’s Different with SDN?114Introduction to the Cisco ACI Solution114VXLAN and Network Overlays116Micro-Segmentation118Open-Source Initiatives120More About Network Function Virtualization121NFV MANO123Contiv123

CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023) - Page 19 preview image

Loading page ...

ContentsxviiThousandEyes Integration124Cisco Digital Network Architecture (DNA)125Cisco DNA Policies127Cisco DNA Group-Based Access Control Policy129Cisco DNA IP-Based Access Control Policy131Cisco DNA Application Policies131Cisco DNA Traffic Copy Policy132Cisco DNA Center Assurance Solution133Cisco DNA Center APIs135Cisco DNA Security Solution135Cisco DNA Multivendor Support136Introduction to Network Programmability136Modern Programming Languages and Tools137DevNet140Getting Started with APIs140REST APIs141Using Network Device APIs145YANG Models145NETCONF147RESTCONF149OpenConfig and gNMI151Exam Preparation Tasks151Review All Key Topics151Define Key Terms152Review Questions152Chapter 4Authentication, Authorization, Accounting (AAA) and IdentityManagement156“Do I Know This Already?” Quiz157Foundation Topics160Introduction to Authentication, Authorization, and Accounting160The Principle of Least Privilege and Separation of Duties161Authentication162Authentication by Knowledge162Authentication by Ownership or Possession164Authentication by Characteristic164Multifactor Authentication165

CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023) - Page 20 preview image

Loading page ...

xviiiCCNP and CCIE Security Core SCOR 350-701 Official Cert GuideDuo Security166Zero Trust and BeyondCorp169Single Sign-On171JWT173SSO and Federated Identity Elements174Authorization177Mandatory Access Control (MAC)177Discretionary Access Control (DAC)178Role-Based Access Control (RBAC)178Rule-Based Access Control178Attribute-Based Access Control179Accounting179Infrastructure Access Controls179Access Control Mechanisms179AAA Protocols182RADIUS182TACACS+184Diameter186802.1X188Network Access Control List and Firewalling190VLAN ACLs191Security Group–Based ACL191Downloadable ACL191Cisco Identity Services Engine (ISE)192Cisco Platform Exchange Grid (pxGrid)193Cisco ISE Context and Identity Services195Cisco ISE Profiling Services195Cisco ISE Identity Services198Cisco ISE Authorization Rules199Cisco TrustSec201Posture Assessment203Change of Authorization (CoA)204Configuring TACACS+ Access207Configuring RADIUS Authentication213Configuring 802.1X Authentication215Additional Cisco ISE Design Tips222

CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023) - Page 21 preview image

Loading page ...

ContentsxixAdvice on Sizing a Cisco ISE Distributed Deployment224Exam Preparation Tasks225Review All Key Topics225Define Key Terms226Review Questions227Chapter 5Network Visibility and Segmentation232“Do I Know This Already?” Quiz233Foundation Topics236Introduction to Network Visibility236NetFlow237The Network as a Sensor and as an Enforcer238What Is a Flow?238NetFlow for Network Security and Visibility241NetFlow for Anomaly Detection and DDoS Attack Mitigation241Data Leak Detection and Prevention243Incident Response, Threat Hunting, and Network Security Forensics243Traffic Engineering and Network Planning248NetFlow Versions249IP Flow Information Export (IPFIX)249IPFIX Architecture251Understanding IPFIX Mediators251IPFIX Templates252Option Templates253Understanding the Stream Control Transmission Protocol (SCTP)254Exploring Application Visibility and Control and NetFlow254Application Recognition254Metrics Collection and Exporting255NetFlow Deployment Scenarios255NetFlow Deployment Scenario: User Access Layer256NetFlow Deployment Scenario: Wireless LAN256NetFlow Deployment Scenario: Internet Edge258NetFlow Deployment Scenario: Data Center259NetFlow Deployment Scenario: NetFlow in Site-to-Siteand Remote VPNs261Cisco Secure Network Analytics and Cisco Secure Cloud Analytics263Cisco Secure Cloud Analytics264

CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023) - Page 22 preview image

Loading page ...

xxCCNP and CCIE Security Core SCOR 350-701 Official Cert GuideOn-Premises Monitoring with Cisco Secure Cloud Analytics267Cisco Secure Cloud Analytics Integration with Meraki and CiscoUmbrella268Exploring the Cisco Secure Network Analytics Dashboard268Threat Hunting with Cisco Secure Network Analytics270Cisco Cognitive Intelligence and Cisco Encrypted TrafficAnalytics (ETA)274What Is Cisco ETA?274What Is Cisco Cognitive Intelligence?274NetFlow Collection Considerations and Best Practices279Determining the Flows per Second and Scalability280Configuring NetFlow in Cisco IOS and Cisco IOS-XE280Simultaneous Application Tracking281Flexible NetFlow Records282Flexible NetFlow Key Fields282Flexible NetFlow Non-Key Fields284NetFlow Predefined Records285User-Defined Records286Flow Monitors286Flow Exporters286Flow Samplers286Flexible NetFlow Configuration286Configure a Flow Record287Configure a Flow Monitor for IPv4 or IPv6289Configure a Flow Exporter for the Flow Monitor291Apply a Flow Monitor to an Interface293Flexible NetFlow IPFIX Export Format294Configuring NetFlow in NX-OS295Introduction to Network Segmentation296Data-Driven Segmentation297Application-Based Segmentation299Micro-Segmentation with Cisco ACI301Segmentation with Cisco ISE302The Scalable Group Tag Exchange Protocol (SXP)303SGT Assignment and Deployment306Initially Deploying 802.1X and/or TrustSec in Monitor Mode306Active Policy Enforcement306Cisco ISE TrustSec and Cisco ACI Integration310

CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023) - Page 23 preview image

Loading page ...

ContentsxxiExam Preparation Tasks312Review All Key Topics312Define Key Terms313Review Questions314Chapter 6Infrastructure Security316“Do I Know This Already?” Quiz317Foundation Topics320Securing Layer 2 Technologies320VLAN and Trunking Fundamentals320What Is a VLAN?321Trunking with 802.1Q323Let’s Follow the Frame, Step by Step325What Is the Native VLAN on a Trunk?326So, What Do You Want to Be? (Asks the Port)326Understanding Inter-VLAN Routing326What Is the Challenge of Only Using Physical Interfaces?326Using Virtual “Sub” Interfaces326Spanning Tree Fundamentals328The Solution to the Layer 2 Loop328STP Is Wary of New Ports331Improving the Time Until Forwarding332Common Layer 2 Threats and How to Mitigate Them333Do Not Allow Negotiations334Layer 2 Security Toolkit334BPDU Guard335Root Guard336Port Security336CDP and LLDP338DHCP Snooping339Dynamic ARP Inspection341Network Foundation Protection343The Importance of the Network Infrastructure343The Network Foundation Protection Framework344Interdependence344Implementing NFP344

CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023) - Page 24 preview image

Loading page ...

xxiiCCNP and CCIE Security Core SCOR 350-701 Official Cert GuideUnderstanding and Securing the Management Plane345Best Practices for Securing the Management Plane345Understanding the Control Plane347Best Practices for Securing the Control Plane347Understanding and Securing the Data Plane348Best Practices for Protecting the Data Plane349Additional Data Plane Protection Mechanisms349Securing Management Traffic350What Is Management Traffic and the Management Plane?350NETCONF and RESTCONF vs. SNMP350Beyond the Console Cable353Management Plane Best Practices354Password Recommendations356Using AAA to Verify Users357Router Access Authentication357The AAA Method List358Role-Based Access Control359Custom Privilege Levels359Limiting the Administrator by Assigning a View359Encrypted Management Protocols359Using Logging Files360Understanding NTP361Protecting Cisco IOS, Cisco IOS-XE, Cisco IOS-XR, and Cisco NX-OSFiles362Implementing Security Measures to Protect the Management Plane362Implementing Strong Passwords362User Authentication with AAA364Using the CLI to Troubleshoot AAA for Cisco Routers369RBAC Privilege Level/Parser View371Implementing Parser Views374SSH and HTTPS375Implementing Logging Features378Configuring Syslog Support378Configuring NTP379Securing the Network Infrastructure Device Image and ConfigurationFiles380Securing the Data Plane in IPv6381

CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023) - Page 25 preview image

Loading page ...

ContentsxxiiiUnderstanding and Configuring IPv6381The Format of an IPv6 Address383Understanding the Shortcuts383Did We Get an Extra Address?383IPv6 Address Types384Configuring IPv6 Routing386Moving to IPv6388Developing a Security Plan for IPv6388Best Practices Common to Both IPv4 and IPv6388Threats Common to Both IPv4 and IPv6389The Focus on IPv6 Security390New Potential Risks with IPv6391IPv6 Best Practices393IPv6 Access Control Lists394Securing Routing Protocols and the Control Plane395Minimizing the Impact of Control Plane Traffic on the CPU395Details about CoPP397Details about CPPr399Securing Routing Protocols399Implementing Routing Update Authentication on OSPF400Implementing Routing Update Authentication on EIGRP401Implementing Routing Update Authentication on RIP401Implementing Routing Update Authentication on BGP402Exam Preparation Tasks404Review All Key Topics404Define Key Terms405Review Questions405Chapter 7Cisco Secure Firewall410“Do I Know This Already?” Quiz410Foundation Topics413Introduction to Cisco Secure Firewall413Cisco Firewall History and Legacy413Introducing the Cisco ASA414The Cisco ASA FirePOWER Module414Cisco Secure Firewall: Formerly known as Cisco Firepower Threat Defense(FTD)415

CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023) - Page 26 preview image

Loading page ...

xxivCCNP and CCIE Security Core SCOR 350-701 Official Cert GuideCisco Secure Firewall415Cisco Secure Firewall Migration Tool415Cisco Secure Firewall Threat Defense Virtual416Cisco Secure Firewall Cloud Native417Cisco Secure Firewall ISA3000418Cisco Secure WAF and Bot Protection419SD-WAN, Firewall Capabilities, and the Cisco Integrated Services Routers(ISRs)419Introduction to Cisco Secure Intrusion Prevention (NGIPS)421Surveying the Cisco Secure Firewall Management Center (FMC)423Cisco SecureX426Exploring the Cisco Firepower Device Manager (FDM)429Cisco Defense Orchestrator433Comparing Network Security Solutions That Provide FirewallCapabilities435Deployment Modes of Network Security Solutions and Architectures ThatProvide Firewall Capabilities437Routed vs. Transparent Firewalls437Security Contexts438Single-Mode Transparent Firewalls439Surveying the Cisco Secure Firewall Deployment Modes441Cisco Secure Firewall Interface Modes442Inline Pair445Inline Pair with Tap445Passive Mode446Passive with ERSPAN Mode447Additional Cisco Secure Firewall Deployment Design Considerations447High Availability and Clustering448Clustering450Implementing Access Control452Implementing Access Control Lists in Cisco ASA452Cisco ASA Application Inspection458To-the-Box Traffic Filtering in the Cisco ASA459Object Grouping and Other ACL Features460Standard ACLs461Time-Based ACLs461ICMP Filtering in the Cisco ASA462

CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023) - Page 27 preview image

Loading page ...

Contents xxvNetwork Address Translation in Cisco ASA463Cisco ASA Auto NAT469Implementing Access Control Policies in the Cisco Firepower ThreatDefense469Cisco Firepower Intrusion Policies472Variables475Platform Settings Policy476Cisco NGIPS Preprocessors476Cisco Secure Malware Defense478Security Intelligence, Security Updates, and Keeping Firepower Software Upto Date483Security Intelligence Updates484Keeping Software Up to Date484Exam Preparation Tasks484Review All Key Topics485Define Key Terms486Review Questions486Chapter 8Virtual Private Networks (VPNs)490“Do I Know This Already?” Quiz490Foundation Topics494Virtual Private Network (VPN) Fundamentals494An Overview of IPsec496IKEv1 Phase 1496IKEv1 Phase 2498NAT Traversal (NAT-T)501IKEv2501SSL VPNs503Cisco Secure Client Mobility504Deploying and Configuring Site-to-Site VPNs in Cisco Routers506Traditional Site-to-Site VPNs in Cisco IOS and Cisco IOS-XE Devices506Tunnel Interfaces508GRE over IPsec508More About Tunnel Interfaces510Multipoint GRE (mGRE) Tunnels512DMVPN512GETVPN515FlexVPN518

CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023) - Page 28 preview image

Loading page ...

xxviCCNP and CCIE Security Core SCOR 350-701 Official Cert GuideDebug and Show Commands to Verify and Troubleshoot IPsecTunnels522Configuring Site-to-Site VPNs in Cisco ASA Firewalls528Step 1: Enable ISAKMP in the Cisco ASA529Step 2: Create the ISAKMP Policy529Step 3: Set Up the Tunnel Groups530Step 4: Define the IPsec Policy531Step 5: Create the Crypto Map in the Cisco ASA532Step 6: Configure Traffic Filtering (Optional)534Step 7: Bypass NAT (Optional)534Step 8: Enable Perfect Forward Secrecy (Optional)535Additional Attributes in Cisco Site-to-Site VPN Configurations535Configuring Remote-Access VPNs in the Cisco ASA537Configuring IPsec Remote-Access VPN in the Cisco ASA538Configuring Clientless Remote Access SSL VPNs in the Cisco ASA540Cisco ASA Remote-Access VPN Design Considerations541Pre-SSL VPN Configuration Steps542Understanding the Remote-Access VPN Attributes and Policy InheritanceModel544Configuring Clientless SSL VPN Group Policies544Configuring the Tunnel Group for Clientless SSL VPN545Configuring User Authentication for Clientless SSL VPN546Enabling Clientless SSL VPN548Configuring WebType ACLs549Configuring Application Access in Clientless SSL VPNs550Configuring Client-Based Remote-Access SSL VPNs in the Cisco ASA551Setting Up Tunnel and Group Policies552Deploying the Cisco Secure Client553Understanding Split Tunneling554Understanding DTLS555Configuring Remote-Access VPNs in Cisco Secure Firewall556Using the Remote Access VPN Policy Wizard557Troubleshooting Cisco Secure Firewall Remote-Access VPNImplementations566Configuring Site-to-Site VPNs in the Cisco Secure Firewall567Cisco SD-WAN569

CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023) - Page 29 preview image

Loading page ...

ContentsxxviiExam Preparation Tasks573Review All Key Topics573Define Key Terms574Review Questions575Chapter 9Securing the Cloud578“Do I Know This Already?” Quiz579Foundation Topics581What Is Cloud and What Are the Cloud Service Models?581DevOps, Continuous Integration (CI), Continuous Delivery (CD), andDevSecOps583The Waterfall Development Methodology583The Agile Methodology583DevOps586CI/CD Pipelines588The Serverless Buzzword589Container Orchestration592A Quick Introduction to Containers and Docker592Kubernetes597Microservices and Micro-Segmentation602DevSecOps603Describing the Customer vs. Provider Security Responsibility for the DifferentCloud Service Models605Patch Management in the Cloud607Security Assessment in the Cloud and Questions to Ask Your CloudService Provider607Cisco Umbrella608The Cisco Umbrella Architecture609Secure Internet Gateway610Cisco Umbrella Investigate612Cisco Secure Email Threat Defense614Forged Email Detection614Sender Policy Framework615Email Encryption615Cisco Secure Email Threat Defense for Office 365615Cisco Attack Surface Management (Formerly Cisco Secure CloudInsights)616Cisco Secure Cloud Analytics618

CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023) - Page 30 preview image

Loading page ...

xxviiiCCNP and CCIE Security Core SCOR 350-701 Official Cert GuideAppDynamics Cloud Monitoring619Cisco Secure Workload622Cisco Secure Workload Agents622Application Dependency Mapping622Cisco Secure Workload Forensics Feature623Cisco Secure Workload Security Dashboard623Cisco XDR627Introducing the XDR Concept627Exploring the Cisco XDR Solution628Cisco XDR Threat Intelligence and Automation632Exam Preparation Tasks632Review All Key Topics633Define Key Terms634Review Questions634Chapter 10Content Security638“Do I Know This Already?” Quiz638Foundation Topics641Content Security Fundamentals641Cisco Async Operating System (AsyncOS)642Cisco Secure Web Appliance642The Cisco Secure Web Appliance Proxy643Cisco Secure Web Appliance in Explicit Forward Mode644Cisco Secure Web Appliance in Transparent Mode646Configuring WCCP in a Cisco ASA to Redirect Web Traffic to a CiscoSecure Web Appliance647Configuring WCCP on a Cisco Switch649Configuring the Cisco Secure Web Appliance to Accept WCCPRedirection650Traffic Redirection with Policy-Based Routing651Cisco Secure Web Appliance Security Services652Deploying Web Proxy IP Spoofing653Configuring Policies in the Cisco Secure Web Appliance653Cisco Secure Web Appliance Reports655Cisco Secure Email658Reviewing a Few Email Concepts658Cisco Secure Email Deployment659

CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023) - Page 31 preview image

Loading page ...

ContentsxxixCisco Secure Email Listeners660SenderBase660The Recipient Access Table (RAT)661Cisco Secure Email Data Loss Prevention661SMTP Authentication and Encryption661Domain Keys Identified Mail (DKIM)662Cisco Content Security Management Appliance (SMA)662Exam Preparation Tasks667Review All Key Topics668Define Key Terms668Review Questions669Chapter 11Endpoint Protection and Detection672“Do I Know This Already?” Quiz672Foundation Topics674Introduction to Endpoint Protection and Detection674Endpoint Threat Detection and Response (ETDR) and Endpoint Detectionand Response (EDR)676Cisco Secure Endpoint676Outbreak Control677IP Blacklists and Whitelists681Cisco Secure Endpoint Application Control683Exclusion Sets684Cisco Secure Endpoint Connectors687Cisco Secure Endpoint Policies687Cisco Secure Client AMP Enabler688Cisco Secure Endpoint Engines689Cisco Secure Endpoint Reporting690Cisco Threat Response693Exam Preparation Tasks693Review All Key Topics693Define Key Terms694Review Questions694Chapter 12Final Preparation696Hands-on Activities696Suggested Plan for Final Review and Study696Summary697

Preview Mode

This document has 837 pages. Sign in to access the full document!

Report

Study Now!

Document Details

Related Documents

CCNP Enterprise Certification Study Guide (2020)

CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2020)

CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide (2024)

CCNP and CCIE Data Center Core DCCOR 350-601 2nd Ed Official Cert Guide (2024)

CCNP and CCIE Enterprise Core ENCOR 350-401 Exam Cram (2022)

CCNP Enterprise Design ENSLD 300-420 Official Cert Guide (2024)

CCNP and CCIE Enterprise Core and CCNP Advanced Routing Portable Command Guide: All ENCOR (350-401) and ENARSI (300-410) (2020)

CCNP and CCIE Enterprise Core ENCOR 350-401 Exam Cram (2022)

CCNP Security Cisco Secure Firewall and Intrusion Prevention System (2022)

CCNP Enterprise Design ENSLD 300-420 Official Cert Guide: Designing Cisco Enterprise Networks (2020)

Company

Explore

Study Tools