Text preview & study summary
Cisco CCNP Security SCOR 350-701 - All Domains Network Security Cloud Endpoint Visibility
A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.
Want to test your knowledge? Launch the Interactive Exam Simulator
Question 1
A security engineer is hardening a Cisco router. Which combination of configurations reduces the attack surface on management plane access?
Explanation
Hardening the management plane requires: SSH v2 (encrypted remote access — Telnet sends credentials in plaintext), VTY ACLs (restrict which source IPs can access the device), AAA authentication (centralize authentication, authorization, and accounting through RADIUS/TACACS+), and exec timeouts (auto-disconnect idle sessions to prevent unauthorized access). Telnet is insecure. Default SNMP community strings like "public" are widely exploited. Disabling authentication is a critical security failure.
Question 2
A firewall engineer is configuring Cisco Secure Firewall (FTD) and needs to allow internal users to access the internet while blocking all unsolicited inbound connections. The firewall also needs to inspect return traffic automatically. Which firewall feature handles this automatically?
Explanation
Stateful inspection (the foundation of all modern firewalls including Cisco FTD) maintains a connection state table. When an internal host initiates an outbound connection, the firewall records the session (source IP, destination IP, ports, protocol). Return traffic matching an established session is automatically permitted without requiring explicit inbound rules. ACLs would require manual rules for each return flow. Static NAT is used for inbound access to specific hosts. ALGs handle specific protocols that embed IP addresses in payloads (FTP, SIP).
Question 3
What differentiates a next-generation IPS (NGIPS) from a traditional signature-based IPS?
Explanation
A Next-Generation IPS (NGIPS) enriches traditional signature-based detection with contextual awareness: it considers the application being used, the user's identity, the host's OS and vulnerability profile (from network discovery), and behavioral analytics. This context reduces false positives (e.g., not alerting on a Windows exploit if the target runs Linux) and improves detection accuracy. Both NGIPS and traditional IPS can run on hardware or software. NGIPS inspects through Layer 7. NGIPS still uses signatures but enriches them with context.
Question 4
What is the primary function of Cisco Umbrella's DNS-layer security?
Explanation
Cisco Umbrella acts as a recursive DNS resolver that evaluates every DNS query against its threat intelligence database. When a user queries a malicious domain (malware C2, phishing site, or prohibited category), Umbrella returns a blocked response — stopping the connection before it is established at the IP layer. This is more efficient than firewall blocking because the TCP connection is never initiated. DNS-over-HTTPS encryption is a privacy feature, not Umbrella's primary security function. DNS caching and authoritative resolution are secondary capabilities.
Question 5
A security engineer is reviewing a Cisco FTD connection event and notices traffic on port 443 to an external IP flagged as a Tor exit node. The certificate subject name is `*.malicious-c2.io`. Which two actions should the engineer take? (Choose TWO)
Explanation
The combination of a Tor exit node IP and a certificate for `*.malicious-c2.io` strongly indicates malware Command & Control (C2) communication. Immediate actions: (A) Add the IP and domain to block lists in the FTD Access Control Policy and/or Cisco Umbrella DNS security to prevent further connections. (B) Investigate the internal source host for malware compromise using Cisco Secure Endpoint — check process history, file activity, and network connections. Decrypting Tor traffic is complex and may not be necessary with the obvious indicators. MTU changes are irrelevant to this scenario. Archiving without acting is insufficient response.
