Text preview & study summary

Cisco CCNP Security SCOR 350-701 - All Domains Network Security Cloud Endpoint Visibility

A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.

Want to test your knowledge? Launch the Interactive Exam Simulator

Question 1

A security engineer is hardening a Cisco router. Which combination of configurations reduces the attack surface on management plane access?

Answer choices

  • A. Enable Telnet on all interfaces, disable SSH

  • B. Use SSH version 2, apply ACLs to VTY lines, enable AAA authentication, and set exec timeouts (Correct)

  • C. Enable HTTP management on port 80, configure SNMP community string "public"

  • D. Disable all authentication to simplify troubleshooting

Explanation

Hardening the management plane requires: SSH v2 (encrypted remote access — Telnet sends credentials in plaintext), VTY ACLs (restrict which source IPs can access the device), AAA authentication (centralize authentication, authorization, and accounting through RADIUS/TACACS+), and exec timeouts (auto-disconnect idle sessions to prevent unauthorized access). Telnet is insecure. Default SNMP community strings like "public" are widely exploited. Disabling authentication is a critical security failure.

Question 2

A firewall engineer is configuring Cisco Secure Firewall (FTD) and needs to allow internal users to access the internet while blocking all unsolicited inbound connections. The firewall also needs to inspect return traffic automatically. Which firewall feature handles this automatically?

Answer choices

  • A. Access Control Lists (ACLs) with explicit permit for return traffic

  • B. Stateful inspection tracking connection state in the state table (Correct)

  • C. NAT with static one-to-one mappings for all internal hosts

  • D. Application layer gateway (ALG) for all protocols

Explanation

Stateful inspection (the foundation of all modern firewalls including Cisco FTD) maintains a connection state table. When an internal host initiates an outbound connection, the firewall records the session (source IP, destination IP, ports, protocol). Return traffic matching an established session is automatically permitted without requiring explicit inbound rules. ACLs would require manual rules for each return flow. Static NAT is used for inbound access to specific hosts. ALGs handle specific protocols that embed IP addresses in payloads (FTP, SIP).

Question 3

What differentiates a next-generation IPS (NGIPS) from a traditional signature-based IPS?

Answer choices

  • A. NGIPS uses only signature matching; traditional IPS uses behavior-based anomaly detection

  • B. NGIPS correlates network context (user identity, application, device type) with signatures to reduce false positives (Correct)

  • C. NGIPS operates at Layer 2 only; traditional IPS inspects up to Layer 7

  • D. NGIPS requires hardware appliances; traditional IPS can run as software

Explanation

A Next-Generation IPS (NGIPS) enriches traditional signature-based detection with contextual awareness: it considers the application being used, the user's identity, the host's OS and vulnerability profile (from network discovery), and behavioral analytics. This context reduces false positives (e.g., not alerting on a Windows exploit if the target runs Linux) and improves detection accuracy. Both NGIPS and traditional IPS can run on hardware or software. NGIPS inspects through Layer 7. NGIPS still uses signatures but enriches them with context.

Question 4

What is the primary function of Cisco Umbrella's DNS-layer security?

Answer choices

  • A. It encrypts all DNS queries using DNS-over-HTTPS to prevent eavesdropping

  • B. It blocks connections to malicious domains at the DNS resolution stage, before any TCP/IP connection is established (Correct)

  • C. It caches DNS responses to improve performance and reduce latency

  • D. It provides authoritative DNS resolution for internal corporate domains

Explanation

Cisco Umbrella acts as a recursive DNS resolver that evaluates every DNS query against its threat intelligence database. When a user queries a malicious domain (malware C2, phishing site, or prohibited category), Umbrella returns a blocked response — stopping the connection before it is established at the IP layer. This is more efficient than firewall blocking because the TCP connection is never initiated. DNS-over-HTTPS encryption is a privacy feature, not Umbrella's primary security function. DNS caching and authoritative resolution are secondary capabilities.

Question 5

A security engineer is reviewing a Cisco FTD connection event and notices traffic on port 443 to an external IP flagged as a Tor exit node. The certificate subject name is `*.malicious-c2.io`. Which two actions should the engineer take? (Choose TWO)

Answer choices

  • A. Block the IP address and domain in the ACP with a blacklist rule (Correct)

  • B. Investigate the internal host for compromise indicators using Cisco Secure Endpoint (Correct)

  • C. Increase the MTU on the firewall interface to improve inspection performance

  • D. Enable SSL decryption policy for Tor traffic to inspect the full payload

  • E. Archive the connection log for annual compliance review

Explanation

The combination of a Tor exit node IP and a certificate for `*.malicious-c2.io` strongly indicates malware Command & Control (C2) communication. Immediate actions: (A) Add the IP and domain to block lists in the FTD Access Control Policy and/or Cisco Umbrella DNS security to prevent further connections. (B) Investigate the internal source host for malware compromise using Cisco Secure Endpoint — check process history, file activity, and network connections. Decrypting Tor traffic is complex and may not be necessary with the obvious indicators. MTU changes are irrelevant to this scenario. Archiving without acting is insufficient response.