Cisco CCNP Security Core - SCOR 350-701 Official Certification Guide (1).pdf
Document Details
Uploaded by jmclark59
null
Related
- PCSII Depression/Anxiety/Strong Emotions 2024 Document
- A Concise History of the World: A New World of Connections (1500-1800)
- Human Bio Test PDF
- University of Santo Tomas Pre-Laboratory Discussion of LA No. 1 PDF
- Vertebrate Pest Management PDF
- Lg 5 International Environmental Laws, Treaties, Protocols, and Conventions
Full Transcript
From the Library of William Timothy Ray Murray Companion Website and Pearson Test Prep Access Code Access interactive study tools on this book’s companion website, including practice test software, review exercises, a Key Term flash card application, a study planner, and more! To access the...
From the Library of William Timothy Ray Murray Companion Website and Pearson Test Prep Access Code Access interactive study tools on this book’s companion website, including practice test software, review exercises, a Key Term flash card application, a study planner, and more! To access the companion website, simply follow these steps: 1. Go to ciscopress.com/register. 2. Enter the print book ISBN: 9780138221263. 3. Answer the security question to validate your purchase. 4. Go to your account page. 5. Click on the Registered Products tab. 6. Under the book listing, click on the Access Bonus Content link. When you register your book, your Pearson Test Prep practice test access code will automatically be populated in your account under the Registered Products tab. You will need this code to access the practice test that comes with this book. You can redeem the code at PearsonTestPrep.com. Simply choose Pearson IT Certification as your product group and log in to the site with the same credentials you used to register your book. Click the Activate New Product button and enter the access code. More detailed instructions on how to redeem your access code for both the online and desktop versions can be found on the companion website. If you have any issues accessing the companion website or obtaining your Pearson Test Prep practice test access code, you can contact our support team by going to pearsonitp.echelp.org. From the Library of William Timothy Ray Murray This page intentionally left blank From the Library of William Timothy Ray Murray CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide, 2nd Edition OMAR SANTOS Cisco Press Hoboken, New Jersey From the Library of William Timothy Ray Murray iv CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide, 2nd Edition Omar Santos Copyright © 2024 Cisco Systems, Inc. Published by: Cisco Press All rights reserved. This publication is protected by copyright, and permission must be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise. For information regarding permissions, request forms, and the appropriate contacts within the Pearson Education Global Rights & Permissions Department, please visit www.pearson.com/permissions. No patent liability is assumed with respect to the use of the information contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use of the information contained herein. $PrintCode Library of Congress Control Number: 2023914718 ISBN-13: 978-0-13-822126-3 ISBN-10: 0-13-822126-X Warning and Disclaimer This book is designed to provide information about the Implementing and Operating Cisco Security Core Technologies (SCOR 350-701) exam. Every effort has been made to make this book as complete and accu- rate as possible, but no warranty or fitness is implied. The information provided is on an “as is” basis. The author and the publisher shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the supple- mental online content or programs accompanying it. Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropri- ately capitalized. Cisco Press cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Special Sales For information about buying this title in bulk quantities, or for special sales opportunities (which may include electronic versions; custom cover designs; and content particular to your business, training goals, marketing focus, or branding interests), please contact our corporate sales department at corpsales@pear- soned.com or (800) 382-3419. For government sales inquiries, please contact [email protected]. For questions about sales outside the U.S., please contact [email protected]. From the Library of William Timothy Ray Murray v Feedback Information At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through email at [email protected]. Please make sure to include the book title and ISBN in your message. We greatly appreciate your assistance. Vice President, IT Professional: Mark Taub Copy Editors: Bart Reed and Chuck Hutchinson Director, ITP Product Management: Brett Bartow Alliances Manager, Cisco Press: Jaci Featherly; James Risler Technical Editor: John Stuppi Executive Editor: James Manly Designer: Chuti Prasertsith Managing Editor: Sandra Schroeder Composition: codeMantra Development Editor: Christopher A. Cleveland Indexer: Erika Millen Senior Project Editor: Mandie Frank Proofreader: Donna E. Mulder Editorial Assistant: Cindy Teeters Americas Headquarters Asia Pacific Headquarters Europe Headquarters Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Cisco Systems International BV Amsterdam, San Jose, CA Singapore The Netherlands Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Americas Headquarters Asia Pacific Headquarters Europe Headquarters Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Cisco Systems International BV Amsterdam, San Jose, CA Singapore The Netherlands Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) From the Library of William Timothy Ray Murray vi CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide Pearson’s Commitment to Diversity, Equity, and Inclusion Pearson is dedicated to creating bias-free content that reflects the diversity of all learners. We embrace the many dimensions of diversity, including but not limited to race, ethnic- ity, gender, socioeconomic status, ability, age, sexual orientation, and religious or political beliefs. Education is a powerful force for equity and change in our world. It has the potential to deliver opportunities that improve lives and enable economic mobility. As we work with authors to create content for every product and service, we acknowledge our responsibil- ity to demonstrate inclusivity and incorporate diverse scholarship so that everyone can achieve their potential through learning. As the world’s leading learning company, we have a duty to help drive change and live up to our purpose to help more people create a better life for themselves and to create a better world. Our ambition is to purposefully contribute to a world where Everyone has an equitable and lifelong opportunity to succeed through learning Our educational products and services are inclusive and represent the rich diversity of learners Our educational content accurately reflects the histories and experiences of the learners we serve Our educational content prompts deeper discussions with learners and motivates them to expand their own learning (and worldview) While we work hard to present unbiased content, we want to hear from you about any concerns or needs with this Pearson product so that we can investigate and address them. Please contact us with concerns about any potential bias at https://www.pearson.com/ report-bias.html. From the Library of William Timothy Ray Murray vii Credits Figure 1-4: United States Department of Defense Figure 1-6: Webgoat SQL Injection Figure 1-1, Figure 1-2: OffSec Services Limited Figure 3-27-Figure 3-30: Python Software Foundation Figure 9-11: Amazon Web Services Figure 9-14-Figure 9-16: Docker Inc Figure 9-19-Figure 9-21: Google Inc Figure 10-2: Apple Inc From the Library of William Timothy Ray Murray viii CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide About the Author Omar Santos is a cybersecurity thought leader with a passion for driving industry-wide initiatives to enhance the security of critical infrastructures. Omar is the lead of the DEF CON Red Team Village, the chair of the Common Security Advisory Framework (CSAF) technical committee, and board member of the OASIS Open standards organization. Omar’s collaborative efforts extend to numerous organizations, including the Forum of Incident Response and Security Teams (FIRST) and the Industry Consor- tium for Advancement of Security on the Internet (ICASI). Omar is a renowned expert in ethical hacking, vulnerability research, incident response, and AI security. He employs his deep understanding of these disciplines to help orga- nizations stay ahead of emerging threats. His dedication to cybersecurity has made a significant impact on businesses, academic institutions, law enforcement agencies, and other entities striving to bolster their security measures. Omar is currently leading several Artificial Intelligence (AI) security research efforts at the Cisco Security and Trust Organization (STO). With over twenty books, video courses, white papers, and technical articles under his belt, Omar’s expertise is widely recognized and respected. As a principal engineer at Cisco’s Product Security Incident Response Team (PSIRT), Omar not only leads engineers and incident managers in investigating and resolving cybersecurity vulnerabilities, but also actively mentors the next generation of security professionals. You can follow Omar on Twitter @santosomar. From the Library of William Timothy Ray Murray ix About the Technical Reviewer John Stuppi, CCIE No. 11154, is a Technical Leader in the Security & Trust Organization (S&TO) at Cisco where he consults Cisco customers on protecting their networks against existing and emerging cyber security threats, risks, and vulnerabilities. Current projects include working with newly acquired entities to integrate them into Cisco’s PSIRT Vulnerability Management processes and advising some of Cisco’s most strategic custom- ers on vulnerability management and risk assessment. John has presented multiple times on various network security topics at Cisco Live, Black Hat, as well as other customer- facing cyber security conferences. John is also the co-author of the CCNA Security 210-260 Official Cert Guide published by Cisco Press. Additionally, John has contrib- uted to the Cisco Security Portal through the publication of white papers, Security Blog posts, and Cyber Risk Report articles. Prior to joining Cisco, John worked as a network engineer for JPMorgan and then as a network security engineer at Time, Inc., with both positions based in New York City. John is also a CISSP (#25525) and holds AWS Cloud Practitioner and Information Systems Security (INFOSEC) Professional Certifications. In addition, John has a BSEE from Lehigh University and an MBA from Rutgers University. John splits his time between Eatontown, New Jersey and Clemson, South Carolina with his wife, son, daughter, and his dog. From the Library of William Timothy Ray Murray x CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide Dedication I would like to dedicate this book to my lovely wife, Jeannette, and my two beautiful children, Hannah and Derek, who have inspired and supported me throughout the development of this book. From the Library of William Timothy Ray Murray xi Acknowledgments I would like to thank the technical editor and my good friend, John Stuppi, for his time and technical expertise. I would like to thank the Cisco Press team, especially James Manly and Christopher Cleveland, for their patience, guidance, and consideration. Finally, I would like to thank Cisco and the Cisco Product Security Incident Response Team (PSIRT), Security and Trust Organization for enabling me to constantly learn and achieve many goals throughout all these years. From the Library of William Timothy Ray Murray xii CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide Contents at a Glance Introduction xxxi Chapter 1 Cybersecurity Fundamentals 2 Chapter 2 Cryptography 80 Chapter 3 Software-Defined Networking Security and Network Programmability 110 Chapter 4 Authentication, Authorization, Accounting (AAA) and Identity Management 156 Chapter 5 Network Visibility and Segmentation 232 Chapter 6 Infrastructure Security 316 Chapter 7 Cisco Secure Firewall 410 Chapter 8 Virtual Private Networks (VPNs) 490 Chapter 9 Securing the Cloud 578 Chapter 10 Content Security 638 Chapter 11 Endpoint Protection and Detection 672 Chapter 12 Final Preparation 696 Chapter 13 CCNP and CCIE Security Core SCOR (350-701) Exam Updates 698 Appendix A Answers to the “Do I Know This Already?” Quizzes and Q&A Sections 702 Glossary 714 Index 732 Online Element Appendix B Study Planner From the Library of William Timothy Ray Murray xiii Contents Introduction xxxi Chapter 1 Cybersecurity Fundamentals 2 “Do I Know This Already?” Quiz 3 Foundation Topics 6 Introduction to Cybersecurity 6 Cybersecurity vs. Information Security (InfoSec) 6 The NIST Cybersecurity Framework 7 Additional NIST Guidance and Documents 7 The International Organization for Standardization (ISO) 8 Defining What Are Threats, Vulnerabilities, and Exploits 8 What Is a Threat? 8 What Is a Vulnerability? 9 What Is an Exploit? 10 Risk, Assets, Threats, and Vulnerabilities 12 Defining Threat Actors 13 Understanding What Threat Intelligence Is 14 Viruses and Worms 16 Types and Transmission Methods 16 Malware Payloads 17 Trojans 18 Trojan Types 18 Trojan Ports and Communication Methods 19 Trojan Goals 20 Trojan Infection Mechanisms 21 Effects of Trojans 22 Distributing Malware 22 Ransomware 23 Covert Communication 24 Keyloggers 26 Spyware 27 Analyzing Malware 28 Static Analysis 28 Dynamic Analysis 29 From the Library of William Timothy Ray Murray xiv CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide Common Software and Hardware Vulnerabilities 31 Injection Vulnerabilities 31 SQL Injection 31 HTML Injection 33 Command Injection 33 Authentication-based Vulnerabilities 33 Credential Brute-Force Attacks and Password Cracking 34 Session Hijacking 35 Default Credentials 35 Insecure Direct Object Reference Vulnerabilities 35 Cross-site Scripting (XSS) 36 Cross-site Request Forgery 38 Server-side Request Forgery 38 Cookie Manipulation Attacks 39 Race Conditions 39 Unprotected APIs 39 Typical Attacks Against Artificial Intelligence (AI) and Machine Learning 40 Return-to-LibC Attacks and Buffer Overflows 41 OWASP Top 10 42 Security Vulnerabilities in Open-Source Software 42 Confidentiality, Integrity, and Availability 43 What Is Confidentiality? 43 What Is Integrity? 45 What Is Availability? 46 Talking About Availability, What Is a Denial-of-Service (DoS) Attack? 46 Access Control Management 48 Cloud Security Threats 50 Cloud Computing Issues and Concerns 51 Cloud Computing Attacks 53 Cloud Computing Security 53 IoT Security Threats 54 IoT Protocols 56 Hacking IoT Implementations 57 An Introduction to Digital Forensics and Incident Response 58 ISO/IEC 27002:2013 and NIST Incident Response Guidance 58 What Is an Incident? 59 From the Library of William Timothy Ray Murray Contents xv False Positives, False Negatives, True Positives, and True Negatives 60 Incident Severity Levels 60 How Are Incidents Reported? 61 What Is an Incident Response Program? 62 The Incident Response Plan 62 The Incident Response Process 63 Tabletop Exercises and Playbooks 65 Information Sharing and Coordination 66 Computer Security Incident Response Teams 67 Product Security Incident Response Teams (PSIRTs) 69 The Common Vulnerability Scoring System (CVSS) 69 The Stakeholder-Specific Vulnerability Categorization (SSVC) 73 National CSIRTs and Computer Emergency Response Teams (CERTs) 74 Coordination Centers 74 Incident Response Providers and Managed Security Service Providers (MSSPs) 75 Key Incident Management Personnel 75 Summary 76 Exam Preparation Tasks 76 Review All Key Topics 76 Define Key Terms 78 Review Questions 78 Chapter 2 Cryptography 80 “Do I Know This Already?” Quiz 80 Foundation Topics 82 Introduction to Cryptography 82 Ciphers 82 Keys 83 Block and Stream Ciphers 84 Symmetric and Asymmetric Algorithms 84 Hashes 86 Hashed Message Authentication Code 89 Digital Signatures 90 Key Management 92 Next-Generation Encryption Protocols 92 IPsec 93 From the Library of William Timothy Ray Murray xvi CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide Post-Quantum Cryptography 93 SSL and TLS 95 Fundamentals of PKI 97 Public and Private Key Pairs 97 More About Keys and Digital Certificates 97 Certificate Authorities 98 Root Certificates 99 Identity Certificates 101 X.500 and X.509v3 101 Authenticating and Enrolling with the CA 102 Public Key Cryptography Standards 103 Simple Certificate Enrollment Protocol 103 Revoking Digital Certificates 103 Digital Certificates in Practice 104 PKI Topologies 105 Single Root CA 105 Hierarchical CA with Subordinate CAs 105 Cross-Certifying CAs 106 Exam Preparation Tasks 106 Review All Key Topics 106 Define Key Terms 107 Review Questions 107 Chapter 3 Software-Defined Networking Security and Network Programmability 110 “Do I Know This Already?” Quiz 110 Foundation Topics 112 Software-Defined Networking (SDN) and SDN Security 112 Traditional Networking Planes 113 So What’s Different with SDN? 114 Introduction to the Cisco ACI Solution 114 VXLAN and Network Overlays 116 Micro-Segmentation 118 Open-Source Initiatives 120 More About Network Function Virtualization 121 NFV MANO 123 Contiv 123 From the Library of William Timothy Ray Murray Contents xvii ThousandEyes Integration 124 Cisco Digital Network Architecture (DNA) 125 Cisco DNA Policies 127 Cisco DNA Group-Based Access Control Policy 129 Cisco DNA IP-Based Access Control Policy 131 Cisco DNA Application Policies 131 Cisco DNA Traffic Copy Policy 132 Cisco DNA Center Assurance Solution 133 Cisco DNA Center APIs 135 Cisco DNA Security Solution 135 Cisco DNA Multivendor Support 136 Introduction to Network Programmability 136 Modern Programming Languages and Tools 137 DevNet 140 Getting Started with APIs 140 REST APIs 141 Using Network Device APIs 145 YANG Models 145 NETCONF 147 RESTCONF 149 OpenConfig and gNMI 151 Exam Preparation Tasks 151 Review All Key Topics 151 Define Key Terms 152 Review Questions 152 Chapter 4 Authentication, Authorization, Accounting (AAA) and Identity Management 156 “Do I Know This Already?” Quiz 157 Foundation Topics 160 Introduction to Authentication, Authorization, and Accounting 160 The Principle of Least Privilege and Separation of Duties 161 Authentication 162 Authentication by Knowledge 162 Authentication by Ownership or Possession 164 Authentication by Characteristic 164 Multifactor Authentication 165 From the Library of William Timothy Ray Murray xviii CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide Duo Security 166 Zero Trust and BeyondCorp 169 Single Sign-On 171 JWT 173 SSO and Federated Identity Elements 174 Authorization 177 Mandatory Access Control (MAC) 177 Discretionary Access Control (DAC) 178 Role-Based Access Control (RBAC) 178 Rule-Based Access Control 178 Attribute-Based Access Control 179 Accounting 179 Infrastructure Access Controls 179 Access Control Mechanisms 179 AAA Protocols 182 RADIUS 182 TACACS+ 184 Diameter 186 802.1X 188 Network Access Control List and Firewalling 190 VLAN ACLs 191 Security Group–Based ACL 191 Downloadable ACL 191 Cisco Identity Services Engine (ISE) 192 Cisco Platform Exchange Grid (pxGrid) 193 Cisco ISE Context and Identity Services 195 Cisco ISE Profiling Services 195 Cisco ISE Identity Services 198 Cisco ISE Authorization Rules 199 Cisco TrustSec 201 Posture Assessment 203 Change of Authorization (CoA) 204 Configuring TACACS+ Access 207 Configuring RADIUS Authentication 213 Configuring 802.1X Authentication 215 Additional Cisco ISE Design Tips 222 From the Library of William Timothy Ray Murray Contents xix Advice on Sizing a Cisco ISE Distributed Deployment 224 Exam Preparation Tasks 225 Review All Key Topics 225 Define Key Terms 226 Review Questions 227 Chapter 5 Network Visibility and Segmentation 232 “Do I Know This Already?” Quiz 233 Foundation Topics 236 Introduction to Network Visibility 236 NetFlow 237 The Network as a Sensor and as an Enforcer 238 What Is a Flow? 238 NetFlow for Network Security and Visibility 241 NetFlow for Anomaly Detection and DDoS Attack Mitigation 241 Data Leak Detection and Prevention 243 Incident Response, Threat Hunting, and Network Security Forensics 243 Traffic Engineering and Network Planning 248 NetFlow Versions 249 IP Flow Information Export (IPFIX) 249 IPFIX Architecture 251 Understanding IPFIX Mediators 251 IPFIX Templates 252 Option Templates 253 Understanding the Stream Control Transmission Protocol (SCTP) 254 Exploring Application Visibility and Control and NetFlow 254 Application Recognition 254 Metrics Collection and Exporting 255 NetFlow Deployment Scenarios 255 NetFlow Deployment Scenario: User Access Layer 256 NetFlow Deployment Scenario: Wireless LAN 256 NetFlow Deployment Scenario: Internet Edge 258 NetFlow Deployment Scenario: Data Center 259 NetFlow Deployment Scenario: NetFlow in Site-to-Site and Remote VPNs 261 Cisco Secure Network Analytics and Cisco Secure Cloud Analytics 263 Cisco Secure Cloud Analytics 264 From the Library of William Timothy Ray Murray xx CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide On-Premises Monitoring with Cisco Secure Cloud Analytics 267 Cisco Secure Cloud Analytics Integration with Meraki and Cisco Umbrella 268 Exploring the Cisco Secure Network Analytics Dashboard 268 Threat Hunting with Cisco Secure Network Analytics 270 Cisco Cognitive Intelligence and Cisco Encrypted Traffic Analytics (ETA) 274 What Is Cisco ETA? 274 What Is Cisco Cognitive Intelligence? 274 NetFlow Collection Considerations and Best Practices 279 Determining the Flows per Second and Scalability 280 Configuring NetFlow in Cisco IOS and Cisco IOS-XE 280 Simultaneous Application Tracking 281 Flexible NetFlow Records 282 Flexible NetFlow Key Fields 282 Flexible NetFlow Non-Key Fields 284 NetFlow Predefined Records 285 User-Defined Records 286 Flow Monitors 286 Flow Exporters 286 Flow Samplers 286 Flexible NetFlow Configuration 286 Configure a Flow Record 287 Configure a Flow Monitor for IPv4 or IPv6 289 Configure a Flow Exporter for the Flow Monitor 291 Apply a Flow Monitor to an Interface 293 Flexible NetFlow IPFIX Export Format 294 Configuring NetFlow in NX-OS 295 Introduction to Network Segmentation 296 Data-Driven Segmentation 297 Application-Based Segmentation 299 Micro-Segmentation with Cisco ACI 301 Segmentation with Cisco ISE 302 The Scalable Group Tag Exchange Protocol (SXP) 303 SGT Assignment and Deployment 306 Initially Deploying 802.1X and/or TrustSec in Monitor Mode 306 Active Policy Enforcement 306 Cisco ISE TrustSec and Cisco ACI Integration 310 From the Library of William Timothy Ray Murray Contents xxi Exam Preparation Tasks 312 Review All Key Topics 312 Define Key Terms 313 Review Questions 314 Chapter 6 Infrastructure Security 316 “Do I Know This Already?” Quiz 317 Foundation Topics 320 Securing Layer 2 Technologies 320 VLAN and Trunking Fundamentals 320 What Is a VLAN? 321 Trunking with 802.1Q 323 Let’s Follow the Frame, Step by Step 325 What Is the Native VLAN on a Trunk? 326 So, What Do You Want to Be? (Asks the Port) 326 Understanding Inter-VLAN Routing 326 What Is the Challenge of Only Using Physical Interfaces? 326 Using Virtual “Sub” Interfaces 326 Spanning Tree Fundamentals 328 The Solution to the Layer 2 Loop 328 STP Is Wary of New Ports 331 Improving the Time Until Forwarding 332 Common Layer 2 Threats and How to Mitigate Them 333 Do Not Allow Negotiations 334 Layer 2 Security Toolkit 334 BPDU Guard 335 Root Guard 336 Port Security 336 CDP and LLDP 338 DHCP Snooping 339 Dynamic ARP Inspection 341 Network Foundation Protection 343 The Importance of the Network Infrastructure 343 The Network Foundation Protection Framework 344 Interdependence 344 Implementing NFP 344 From the Library of William Timothy Ray Murray xxii CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide Understanding and Securing the Management Plane 345 Best Practices for Securing the Management Plane 345 Understanding the Control Plane 347 Best Practices for Securing the Control Plane 347 Understanding and Securing the Data Plane 348 Best Practices for Protecting the Data Plane 349 Additional Data Plane Protection Mechanisms 349 Securing Management Traffic 350 What Is Management Traffic and the Management Plane? 350 NETCONF and RESTCONF vs. SNMP 350 Beyond the Console Cable 353 Management Plane Best Practices 354 Password Recommendations 356 Using AAA to Verify Users 357 Router Access Authentication 357 The AAA Method List 358 Role-Based Access Control 359 Custom Privilege Levels 359 Limiting the Administrator by Assigning a View 359 Encrypted Management Protocols 359 Using Logging Files 360 Understanding NTP 361 Protecting Cisco IOS, Cisco IOS-XE, Cisco IOS-XR, and Cisco NX-OS Files 362 Implementing Security Measures to Protect the Management Plane 362 Implementing Strong Passwords 362 User Authentication with AAA 364 Using the CLI to Troubleshoot AAA for Cisco Routers 369 RBAC Privilege Level/Parser View 371 Implementing Parser Views 374 SSH and HTTPS 375 Implementing Logging Features 378 Configuring Syslog Support 378 Configuring NTP 379 Securing the Network Infrastructure Device Image and Configuration Files 380 Securing the Data Plane in IPv6 381 From the Library of William Timothy Ray Murray Contents xxiii Understanding and Configuring IPv6 381 The Format of an IPv6 Address 383 Understanding the Shortcuts 383 Did We Get an Extra Address? 383 IPv6 Address Types 384 Configuring IPv6 Routing 386 Moving to IPv6 388 Developing a Security Plan for IPv6 388 Best Practices Common to Both IPv4 and IPv6 388 Threats Common to Both IPv4 and IPv6 389 The Focus on IPv6 Security 390 New Potential Risks with IPv6 391 IPv6 Best Practices 393 IPv6 Access Control Lists 394 Securing Routing Protocols and the Control Plane 395 Minimizing the Impact of Control Plane Traffic on the CPU 395 Details about CoPP 397 Details about CPPr 399 Securing Routing Protocols 399 Implementing Routing Update Authentication on OSPF 400 Implementing Routing Update Authentication on EIGRP 401 Implementing Routing Update Authentication on RIP 401 Implementing Routing Update Authentication on BGP 402 Exam Preparation Tasks 404 Review All Key Topics 404 Define Key Terms 405 Review Questions 405 Chapter 7 Cisco Secure Firewall 410 “Do I Know This Already?” Quiz 410 Foundation Topics 413 Introduction to Cisco Secure Firewall 413 Cisco Firewall History and Legacy 413 Introducing the Cisco ASA 414 The Cisco ASA FirePOWER Module 414 Cisco Secure Firewall: Formerly known as Cisco Firepower Threat Defense (FTD) 415 From the Library of William Timothy Ray Murray xxiv CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide Cisco Secure Firewall 415 Cisco Secure Firewall Migration Tool 415 Cisco Secure Firewall Threat Defense Virtual 416 Cisco Secure Firewall Cloud Native 417 Cisco Secure Firewall ISA3000 418 Cisco Secure WAF and Bot Protection 419 SD-WAN, Firewall Capabilities, and the Cisco Integrated Services Routers (ISRs) 419 Introduction to Cisco Secure Intrusion Prevention (NGIPS) 421 Surveying the Cisco Secure Firewall Management Center (FMC) 423 Cisco SecureX 426 Exploring the Cisco Firepower Device Manager (FDM) 429 Cisco Defense Orchestrator 433 Comparing Network Security Solutions That Provide Firewall Capabilities 435 Deployment Modes of Network Security Solutions and Architectures That Provide Firewall Capabilities 437 Routed vs. Transparent Firewalls 437 Security Contexts 438 Single-Mode Transparent Firewalls 439 Surveying the Cisco Secure Firewall Deployment Modes 441 Cisco Secure Firewall Interface Modes 442 Inline Pair 445 Inline Pair with Tap 445 Passive Mode 446 Passive with ERSPAN Mode 447 Additional Cisco Secure Firewall Deployment Design Considerations 447 High Availability and Clustering 448 Clustering 450 Implementing Access Control 452 Implementing Access Control Lists in Cisco ASA 452 Cisco ASA Application Inspection 458 To-the-Box Traffic Filtering in the Cisco ASA 459 Object Grouping and Other ACL Features 460 Standard ACLs 461 Time-Based ACLs 461 ICMP Filtering in the Cisco ASA 462 From the Library of William Timothy Ray Murray Contents xxv Network Address Translation in Cisco ASA 463 Cisco ASA Auto NAT 469 Implementing Access Control Policies in the Cisco Firepower Threat Defense 469 Cisco Firepower Intrusion Policies 472 Variables 475 Platform Settings Policy 476 Cisco NGIPS Preprocessors 476 Cisco Secure Malware Defense 478 Security Intelligence, Security Updates, and Keeping Firepower Software Up to Date 483 Security Intelligence Updates 484 Keeping Software Up to Date 484 Exam Preparation Tasks 484 Review All Key Topics 485 Define Key Terms 486 Review Questions 486 Chapter 8 Virtual Private Networks (VPNs) 490 “Do I Know This Already?” Quiz 490 Foundation Topics 494 Virtual Private Network (VPN) Fundamentals 494 An Overview of IPsec 496 IKEv1 Phase 1 496 IKEv1 Phase 2 498 NAT Traversal (NAT-T) 501 IKEv2 501 SSL VPNs 503 Cisco Secure Client Mobility 504 Deploying and Configuring Site-to-Site VPNs in Cisco Routers 506 Traditional Site-to-Site VPNs in Cisco IOS and Cisco IOS-XE Devices 506 Tunnel Interfaces 508 GRE over IPsec 508 More About Tunnel Interfaces 510 Multipoint GRE (mGRE) Tunnels 512 DMVPN 512 GETVPN 515 FlexVPN 518 From the Library of William Timothy Ray Murray xxvi CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide Debug and Show Commands to Verify and Troubleshoot IPsec Tunnels 522 Configuring Site-to-Site VPNs in Cisco ASA Firewalls 528 Step 1: Enable ISAKMP in the Cisco ASA 529 Step 2: Create the ISAKMP Policy 529 Step 3: Set Up the Tunnel Groups 530 Step 4: Define the IPsec Policy 531 Step 5: Create the Crypto Map in the Cisco ASA 532 Step 6: Configure Traffic Filtering (Optional) 534 Step 7: Bypass NAT (Optional) 534 Step 8: Enable Perfect Forward Secrecy (Optional) 535 Additional Attributes in Cisco Site-to-Site VPN Configurations 535 Configuring Remote-Access VPNs in the Cisco ASA 537 Configuring IPsec Remote-Access VPN in the Cisco ASA 538 Configuring Clientless Remote Access SSL VPNs in the Cisco ASA 540 Cisco ASA Remote-Access VPN Design Considerations 541 Pre-SSL VPN Configuration Steps 542 Understanding the Remote-Access VPN Attributes and Policy Inheritance Model 544 Configuring Clientless SSL VPN Group Policies 544 Configuring the Tunnel Group for Clientless SSL VPN 545 Configuring User Authentication for Clientless SSL VPN 546 Enabling Clientless SSL VPN 548 Configuring WebType ACLs 549 Configuring Application Access in Clientless SSL VPNs 550 Configuring Client-Based Remote-Access SSL VPNs in the Cisco ASA 551 Setting Up Tunnel and Group Policies 552 Deploying the Cisco Secure Client 553 Understanding Split Tunneling 554 Understanding DTLS 555 Configuring Remote-Access VPNs in Cisco Secure Firewall 556 Using the Remote Access VPN Policy Wizard 557 Troubleshooting Cisco Secure Firewall Remote-Access VPN Implementations 566 Configuring Site-to-Site VPNs in the Cisco Secure Firewall 567 Cisco SD-WAN 569 From the Library of William Timothy Ray Murray Contents xxvii Exam Preparation Tasks 573 Review All Key Topics 573 Define Key Terms 574 Review Questions 575 Chapter 9 Securing the Cloud 578 “Do I Know This Already?” Quiz 579 Foundation Topics 581 What Is Cloud and What Are the Cloud Service Models? 581 DevOps, Continuous Integration (CI), Continuous Delivery (CD), and DevSecOps 583 The Waterfall Development Methodology 583 The Agile Methodology 583 DevOps 586 CI/CD Pipelines 588 The Serverless Buzzword 589 Container Orchestration 592 A Quick Introduction to Containers and Docker 592 Kubernetes 597 Microservices and Micro-Segmentation 602 DevSecOps 603 Describing the Customer vs. Provider Security Responsibility for the Different Cloud Service Models 605 Patch Management in the Cloud 607 Security Assessment in the Cloud and Questions to Ask Your Cloud Service Provider 607 Cisco Umbrella 608 The Cisco Umbrella Architecture 609 Secure Internet Gateway 610 Cisco Umbrella Investigate 612 Cisco Secure Email Threat Defense 614 Forged Email Detection 614 Sender Policy Framework 615 Email Encryption 615 Cisco Secure Email Threat Defense for Office 365 615 Cisco Attack Surface Management (Formerly Cisco Secure Cloud Insights) 616 Cisco Secure Cloud Analytics 618 From the Library of William Timothy Ray Murray xxviii CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide AppDynamics Cloud Monitoring 619 Cisco Secure Workload 622 Cisco Secure Workload Agents 622 Application Dependency Mapping 622 Cisco Secure Workload Forensics Feature 623 Cisco Secure Workload Security Dashboard 623 Cisco XDR 627 Introducing the XDR Concept 627 Exploring the Cisco XDR Solution 628 Cisco XDR Threat Intelligence and Automation 632 Exam Preparation Tasks 632 Review All Key Topics 633 Define Key Terms 634 Review Questions 634 Chapter 10 Content Security 638 “Do I Know This Already?” Quiz 638 Foundation Topics 641 Content Security Fundamentals 641 Cisco Async Operating System (AsyncOS) 642 Cisco Secure Web Appliance 642 The Cisco Secure Web Appliance Proxy 643 Cisco Secure Web Appliance in Explicit Forward Mode 644 Cisco Secure Web Appliance in Transparent Mode 646 Configuring WCCP in a Cisco ASA to Redirect Web Traffic to a Cisco Secure Web Appliance 647 Configuring WCCP on a Cisco Switch 649 Configuring the Cisco Secure Web Appliance to Accept WCCP Redirection 650 Traffic Redirection with Policy-Based Routing 651 Cisco Secure Web Appliance Security Services 652 Deploying Web Proxy IP Spoofing 653 Configuring Policies in the Cisco Secure Web Appliance 653 Cisco Secure Web Appliance Reports 655 Cisco Secure Email 658 Reviewing a Few Email Concepts 658 Cisco Secure Email Deployment 659 From the Library of William Timothy Ray Murray Contents xxix Cisco Secure Email Listeners 660 SenderBase 660 The Recipient Access Table (RAT) 661 Cisco Secure Email Data Loss Prevention 661 SMTP Authentication and Encryption 661 Domain Keys Identified Mail (DKIM) 662 Cisco Content Security Management Appliance (SMA) 662 Exam Preparation Tasks 667 Review All Key Topics 668 Define Key Terms 668 Review Questions 669 Chapter 11 Endpoint Protection and Detection 672 “Do I Know This Already?” Quiz 672 Foundation Topics 674 Introduction to Endpoint Protection and Detection 674 Endpoint Threat Detection and Response (ETDR) and Endpoint Detection and Response (EDR) 676 Cisco Secure Endpoint 676 Outbreak Control 677 IP Blacklists and Whitelists 681 Cisco Secure Endpoint Application Control 683 Exclusion Sets 684 Cisco Secure Endpoint Connectors 687 Cisco Secure Endpoint Policies 687 Cisco Secure Client AMP Enabler 688 Cisco Secure Endpoint Engines 689 Cisco Secure Endpoint Reporting 690 Cisco Threat Response 693 Exam Preparation Tasks 693 Review All Key Topics 693 Define Key Terms 694 Review Questions 694 Chapter 12 Final Preparation 696 Hands-on Activities 696 Suggested Plan for Final Review and Study 696 Summary 697 From the Library of William Timothy Ray Murray xxx CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide Chapter 13 CCNP and CCIE Security Core SCOR (350-701) Exam Updates 698 The Purpose of This Chapter 698 About Possible Exam Updates 698 Impact on You and Your Study Plan 699 News about the Next Exam Release 700 Updated Technical Content 700 Appendix A Answers to the “Do I Know This Already?” Quizzes and Q&A Sections 702 Glossary 714 Index 732 Online Element Appendix B Study Planner From the Library of William Timothy Ray Murray xxxi Introduction The Implementing and Operating Cisco Security Core Technologies (SCOR 350-701) exam is the required “core” exam for the CCNP Security and CCIE Security certifications. If you pass the SCOR 350-701 exam, you also obtain the Cisco Certified Specialist–Security Core Certification. This exam covers core security technologies, including cybersecurity fundamentals, network security, cloud security, identity management, secure network access, endpoint protection and detection, and visibility and enforcement. The Implementing and Operating Cisco Security Core Technologies (SCOR 350-701) is a 120-minute exam. TIP You can review the exam blueprint from Cisco’s website at https://learningnetwork. cisco.com/s/scor-exam-topics. This book gives you the foundation and covers the topics necessary to start your CCNP Security or CCIE Security journey. The CCNP Security Certification The CCNP Security certification is one of the industry’s most respected certifications. In order for you to earn the CCNP Security certification, you must pass two exams: the SCOR exam covered in this book (which covers core security technologies) and one secu- rity concentration exam of your choice, so you can customize your certification to your technical area of focus. TIP The SCOR core exam is also the qualifying exam for the CCIE Security certification. Passing this exam is the first step toward earning both of these certifications. The following are the CCNP Security concentration exams: Securing Networks with Cisco Firepower (SNCF 300-710) Implementing and Configuring Cisco Identity Services Engine (SISE 300-715) Securing Email with Cisco Email Security Appliance (SESA 300-720) Securing the Web with Cisco Web Security Appliance (SWSA 300-725) Implementing Secure Solutions with Virtual Private Networks (SVPN 300-730) Automating Cisco Security Solutions (SAUTO 300-735) TIP CCNP Security now includes automation and programmability to help you scale your security infrastructure. If you pass the Developing Applications Using Cisco Core Platforms and APIs v1.0 (DEVCOR 350-901) exam, the SCOR exam, and the Automating Cisco Security Solutions (SAUTO 300-735) exam, you will achieve the CCNP Security and DevNet Professional certifications with only three exams. Every exam earns an individual Specialist certification, allowing you to get recognized for each of your accomplishments, instead of waiting until you pass all the exams. From the Library of William Timothy Ray Murray xxxii CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide There are no formal prerequisites for CCNP Security. In other words, you do not have to pass the CCNA Security or any other certifications in order to take CCNP-level exams. The same goes for the CCIE exams. On the other hand, CCNP candidates often have three to five years of experience in IT and cybersecurity. Cisco considers ideal candidates to be those that possess the following: Knowledge of implementing and operating core security technologies Understanding of cloud security Hands-on experience with Cisco Secure Firewalls, intrusion prevention systems (IPSs), and other network infrastructure devices Understanding of content security, endpoint protection and detection, and secure network access, visibility, and enforcement Understanding of cybersecurity concepts with hands-on experience in implementing security controls The CCIE Security Certification The CCIE Security certification is one of the most admired and elite certifications in the industry. The CCIE Security program prepares you to be a recognized technical leader. In order to earn the CCIE Security certification, you must pass the SCOR 350-701 exam and an 8-hour, hands-on lab exam. The lab exam covers very complex network security scenarios. These scenarios range from designing through deploying, operating, and optimizing security solutions. Cisco considers ideal candidates to be those who possess the following: Extensive hands-on experience with Cisco’s security portfolio Experience deploying Cisco Secure Firewalls and IPS devices Experience with cloud security solutions Deep understanding of secure connectivity and segmentation solutions Hands-on experience with infrastructure device hardening and infrastructure security Configuring and troubleshooting identity management, information exchange, and access control Deep understanding of advanced threat protection and content security The Exam Objectives (Domains) The Implementing and Operating Cisco Security Core Technologies (SCOR 350-701) exam is broken down into six major domains. The contents of this book cover each of the domains and the subtopics included in them, as illustrated in the following descriptions. From the Library of William Timothy Ray Murray The Exam Objectives (Domains) xxxiii The following table breaks down each of the domains represented in the exam. Domain Percentage of Representation in Exam 1: Security Concepts 25% 2: Network Security 20% 3: Securing the Cloud 15% 4: Content Security 15% 5: Endpoint Protection and Detection 10% 6: Secure Network Access, Visibility, and 15% Enforcement Total 100% Here are the details of each domain: Domain 1: Monitoring and Reporting: This domain is covered in Chapters 1, 2, 3, and 8. 1.1 Explain common threats against on-premises and cloud environments 1.1.a On-premises: viruses, trojans, DoS/DDoS attacks, phishing, rootkits, man-in-the-middle attacks, SQL injection, cross-site scripting, malware 1.1.b Cloud: data breaches, insecure APIs, DoS/DDoS, compromised credentials 1.2 Compare common security vulnerabilities such as software bugs, weak and/or hard- coded passwords, SQL injection, missing encryption, buffer overflow, path traversal, cross-site scripting/forgery 1.3 Describe functions of the cryptography components such as hashing, encryp- tion, PKI, SSL, IPsec, NAT-T IPv4 for IPsec, pre-shared key, and certificate-based authorization 1.4 Compare site-to-site VPN and remote access VPN deployment types such as sVTI, IPsec, Cryptomap, DMVPN, FLEXVPN, including high availability considerations, and AnyConnect 1.5 Describe security intelligence authoring, sharing, and consumption 1.6 Explain the role of the endpoint in protecting humans from phishing and social engineering attacks 1.7 Explain northbound and southbound APIs in the SDN architecture 1.8 Explain DNAC APIs for network provisioning, optimization, monitoring, and troubleshooting 1.9 Interpret basic Python scripts used to call Cisco Security appliances APIs Domain 2: Network Security: This domain is covered primarily in Chapters 5, 6, and 7. 2.1 Compare network security solutions that provide intrusion prevention and firewall capabilities 2.2 Describe deployment models of network security solutions and architectures that provide intrusion prevention and firewall capabilities 2.3 Describe the components, capabilities, and benefits of NetFlow and Flexible NetFlow records From the Library of William Timothy Ray Murray xxxiv CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide 2.4 Configure and verify network infrastructure security methods (router, switch, wireless) 2.4.a Layer 2 methods (network segmentation using VLANs; Layer 2 and port security; DHCP snooping; Dynamic ARP inspection; storm control; PVLANs to segregate network traffic; and defenses against MAC, ARP, VLAN hopping, STP, and DHCP rogue attacks) 2.4.b Device hardening of network infrastructure security devices (control plane, data plane, and management plane) 2.5 Implement segmentation, access control policies, AVC, URL filtering, and malware protection 2.6 Implement management options for network security solutions such as intrusion prevention and perimeter security (single vs. multidevice manager, in-band vs. out-of- band, CDP, DNS, SCP, SFTP, and DHCP security and risks) 2.7 Configure AAA for device and network access (authentication and authorization, TACACS+, RADIUS and RADIUS flows, accounting, and dACL) 2.8 Configure secure network management of perimeter security and infrastructure devices such as SNMPv3, NETCONF, RESTCONF, APIs, secure syslog, and NTP with authentication 2.9 Configure and verify site-to-site VPN and remote access VPN 2.9.a Site-to-site VPN utilizing Cisco routers and IOS 2.9.b Remote-access VPN using Cisco AnyConnect Secure Mobility client 2.9.c Debug commands to view IPsec tunnel establishment and troubleshooting Domain 3: Securing the Cloud: This domain is covered primarily in Chapter 9. 3.1 Identify security solutions for cloud environments 3.1.a Public, private, hybrid, and community clouds 3.1.b Cloud service models: SaaS, PaaS, and IaaS (NIST 800-145) 3.2 Compare the customer vs. provider security responsibility for the different cloud service models 3.2.a Patch management in the cloud 3.2.b Security assessment in the cloud 3.2.c Cloud-delivered security solutions such as firewall, management, proxy, security intelligence, and CASB 3.3 Describe the concept of DevSecOps (CI/CD pipeline, container orchestration, and security) 3.4 Implement application and data security in cloud environments 3.5 Identify security capabilities, deployment models, and policy management to secure the cloud 3.6 Configure cloud logging and monitoring methodologies 3.7 Describe application and workload security concepts From the Library of William Timothy Ray Murray The Exam Objectives (Domains) xxxv Domain 4: Content Security: This domain is covered primarily in Chapter 10. 4.1 Implement traffic redirection and capture methods 4.2 Describe web proxy identity and authentication, including transparent user identification 4.3 Compare the components, capabilities, and benefits of local and cloud-based email and web solutions (ESA, CES, WSA) 4.4 Configure and verify web and email security deployment methods to protect on- premises and remote users (inbound and outbound controls and policy management) 4.5 Configure and verify email security features such as SPAM filtering, antimalware filtering, DLP, blacklisting, and email encryption 4.6 Configure and verify secure Internet gateway and web security features such as blacklisting, URL filtering, malware scanning, URL categorization, web application filtering, and TLS decryption 4.7 Describe the components, capabilities, and benefits of Cisco Umbrella 4.8 Configure and verify web security controls on Cisco Umbrella (identities, URL content settings, destination lists, and reporting) Domain 5: Endpoint Protection and Detection: This domain is covered primarily in Chapter 11. 5.1 Compare Endpoint Protection Platforms (EPPs) and Endpoint Detection & Response (EDR) solutions 5.2 Explain antimalware, retrospective security, Indicator of Compromise (IOC), antivirus, dynamic file analysis, and endpoint-sourced telemetry 5.3 Configure and verify outbreak control and quarantines to limit infection 5.4 Describe justifications for endpoint-based security 5.5 Describe the value of endpoint device management and asset inventory such as MDM 5.6 Describe the uses and importance of a multifactor authentication (MFA) strategy 5.7 Describe endpoint posture assessment solutions to ensure endpoint security 5.8 Explain the importance of an endpoint patching strategy Domain 6: Secure Network Access, Visibility, and Enforcement: This domain is covered primarily in Chapters 4 and 5. 6.1 Describe identity management and secure network access concepts such as guest services, profiling, posture assessment, and BYOD 6.2 Configure and verify network access device functionality such as 802.1X, MAB, and WebAuth 6.3 Describe network access with CoA 6.4 Describe the benefits of device compliance and application control 6.5 Explain exfiltration techniques (DNS tunneling, HTTPS, email, FTP/SSH/SCP/SFTP, ICMP, Messenger, IRC, and NTP) From the Library of William Timothy Ray Murray xxxvi CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide 6.6 Describe the benefits of network telemetry 6.7 Describe the components, capabilities, and benefits of these security products and solutions: 6.7.a Cisco Secure Network Analytics 6.7.b Cisco Stealthwatch Cloud 6.7.c Cisco pxGrid 6.7.d Cisco Umbrella Investigate 6.7.e Cisco Cognitive Threat Analytics 6.7.f Cisco Encrypted Traffic Analytics 6.7.g Cisco AnyConnect Network Visibility Module (NVM) Steps to Pass the SCOR Exam There are no prerequisites for the SCOR exam. However, students must have an understanding of networking and cybersecurity concepts. Signing Up for the Exam The steps required to sign up for the Implementing and Operating Cisco Security Core Technologies (SCOR 350-701) exam: 1. Create a Certiport account at https://www.certiport.com/portal/SSL/Login.aspx. 2. Once you have logged in, make sure that “Test Candidate” from the drop-down menu is selected. 3. Click on the Shop Available Exams button. 4. Select the Schedule exam button under the exam you wish to take. 5. Verify your information and continue throughout the next few screens. 6. On the Enter payment and billing page, click on Add Voucher or Promo Code button if applicable. Enter the voucher number or promo/discount code in the field below and click the Apply button. 7. Continue through the next two screens to finish scheduling your exam. Facts About the Exam The exam is a computer-based test. The exam consists of multiple-choice questions only. You must bring a government-issued identification card. No other forms of ID will be accepted. You can take the exam at a Pearson Vue center or online via the OnVUE plat- form. Visit the OnVUE page for your exam program: https://home.pearsonvue.com/Test- takers/OnVUE-online-proctoring/View-all.aspx. Once there, navigate to the FAQs section of the page, where you’ll find helpful informa- tion on everything from scheduling your exam to system requirements, testing policies, and more. TIP Refer to the Cisco Certification site at https://cisco.com/go/certifications for more information regarding this, and other, Cisco certifications. From the Library of William Timothy Ray Murray Facts About the Exam xxxvii About the CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide This book maps directly to the topic areas of the SCOR exam and uses a number of features to help you understand the topics and prepare for the exam. Objectives and Methods This book uses several key methodologies to help you discover the exam topics that need more review, to help you fully understand and remember those details, and to help you prove to yourself that you have retained your knowledge of those topics. This book does not try to help you pass the exam only by memorization; it seeks to help you to truly learn and understand the topics. This book is designed to help you pass the Implementing and Operating Cisco Security Core Technologies (SCOR 350-701) exam by using the following methods: Helping you discover which exam topics you have not mastered Providing explanations and information to fill in your knowledge gaps Supplying exercises that enhance your ability to recall and deduce the answers to test questions Providing practice exercises on the topics and the testing process via test questions on the companion website Book Features To help you customize your study time using this book, the core chapters have several features that help you make the best use of your time: Foundation Topics: These are the core sections of each chapter. They explain the concepts for the topics in that chapter. Exam Preparation Tasks: After the “Foundation Topics” section of each chapter, the “Exam Preparation Tasks” section lists a series of study activities that you should do at the end of the chapter: Review All Key Topics: The Key Topic icon appears next to the most important items in the “Foundation Topics” section of the chapter. The Review All Key Topics activity lists the key topics from the chapter, along with their page num- bers. Although the contents of the entire chapter could be on the exam, you should definitely know the information listed in each key topic, so you should review these. Define Key Terms: Although the Implementing and Operating Cisco Security Core Technologies (SCOR 350-701) exam may be unlikely to ask a question such as “Define this term,” the exam does require that you learn and know a lot of cybersecurity terminology. This section lists the most important terms from the chapter, asking you to write a short definition and compare your answer to the glossary at the end of the book. From the Library of William Timothy Ray Murray xxxviii CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide Review Questions: Confirm that you understand the content you just covered by answering these questions and reading the answer explanations. Web-based practice exam: The companion website includes the Pearson Cert Practice Test engine, which allows you to take practice exam questions. Use it to prepare with a sample exam and to pinpoint topics where you need more study. How This Book Is Organized This book contains 11 core chapters—Chapters 1 through 11. Chapter 12 includes prepa- ration tips and suggestions for how to approach the exam. Each core chapter covers a subset of the topics on the Implementing and Operating Cisco Security Core Technolo- gies (SCOR 350-701) exam. The core chapters map to the SCOR topic areas and cover the concepts and technologies you will encounter on the exam. The Companion Website for Online Content Review All the electronic review elements, as well as other electronic components of the book, exist on this book’s companion website. To access the companion website, which gives you access to the electronic content with this book, start by establishing a login at www.ciscopress.com and registering your book. To do so, simply go to www.ciscopress.com/register and enter the ISBN of the print book: 9780138221263. After you have registered your book, go to your account page and click the Registered Products tab. From there, click the Access Bonus Content link to get access to the book’s companion website. Note that if you buy the Premium Edition eBook and Practice Test version of this book from Cisco Press, your book will automatically be registered on your account page. Simply go to your account page, click the Registered Products tab, and select Access Bonus Content to access the book’s companion website. Please note that many of our companion content files can be very large, especially image and video files. If you are unable to locate the files for this title by following the steps above, please visit www.pearsonITcertification.com/contact and select the Site Problems/Comments option. Our customer service representatives will assist you. How to Access the Pearson Test Prep (PTP) App You have two options for installing and using the Pearson Test Prep application: a web app and a desktop app. To use the Pearson Test Prep application, start by finding the registration code that comes with the book. You can find the code in these ways: Print book or bookseller eBook versions: You can get your access code by register- ing the print ISBN (9780138221263) on ciscopress.com/register. Make sure to use the print book ISBN regardless of whether you purchased an eBook or the print book. Once you register the book, your access code will be populated on your account page under the Registered Products tab. Instructions for how to redeem the code are available on the book’s companion website by clicking the Access Bonus Content link. From the Library of William Timothy Ray Murray The Companion Website for Online Content Review xxxix Premium Edition: If you purchase the Premium Edition eBook and Practice Test directly from the Cisco Press website, the code will be populated on your account page after purchase. Just log in at ciscopress.com, click Account to see details of your account, and click the digital purchases tab. NOTE After you register your book, your code can always be found in your account under the Registered Products tab. Once you have the access code, to find instructions about both the PTP web app and the desktop app, follow these steps: Step 1. Open this book’s companion website, as shown earlier in this Introduction under the heading “The Companion Website for Online Content Review.” Step 2. Click the Practice Exams button. Step 3. Follow the instructions listed there both for installing the desktop app and for using the web app. Note that if you want to use the web app only at this point, just navigate to pearsontest- prep.com, log in using the same credentials used to register your book or purchase the Premium Edition, and register this book’s practice tests using the registration code you just found. The process should take only a couple of minutes. Customizing Your Exams Once you are in the exam settings screen, you can choose to take exams in one of three modes: Study mode: Allows you to fully customize your exams and review answers as you are taking the exam. This is typically the mode you would use first to assess your knowledge and identify information gaps. Practice Exam mode: Locks certain customization options, as it is presenting a realistic exam experience. Use this mode when you are preparing to test your exam readiness. Flash Card mode: Strips out the answers and presents you with only the question stem. This mode is great for late-stage preparation when you really want to challenge yourself to provide answers without the benefit of seeing multiple-choice options. This mode does not provide the detailed score reports that the other two modes do, so you should not use it if you are trying to identify knowledge gaps. In addition to these three modes, you will be able to select the source of your questions. You can choose to take exams that cover all of the chapters or you can narrow your selection to just a single chapter or the chapters that make up specific parts in the book. All chapters are selected by default. If you want to narrow your focus to individual chapters, simply deselect all the chapters and then select only those on which you wish to focus in the Objectives area. From the Library of William Timothy Ray Murray xl CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide You can also select the exam banks on which to focus. Each exam bank comes complete with a full exam of questions that cover topics in every chapter. The two exams printed in the book are available to you as well as two additional exams of unique questions. You can have the test engine serve up exams from all four banks or just from one individual bank by selecting the desired banks in the exam bank area. There are several other customizations you can make to your exam from the exam set- tings screen, such as the time of the exam, the number of questions served up, whether to randomize questions and answers, whether to show the number of correct answers for multiple-answer questions, and whether to serve up only specific types of questions. You can also create custom test banks by selecting only questions that you have marked or questions on which you have added notes. Updating Your Exams If you are using the online version of the Pearson Test Prep software, you should always have access to the latest version of the software as well as the exam data. If you are using the Windows desktop version, every time you launch the software while connected to the Internet, it checks if there are any updates to your exam data and automatically downloads any changes that were made since the last time you used the software. Sometimes, due to many factors, the exam data may not fully download when you acti- vate your exam. If you find that figures or exhibits are missing, you may need to manu- ally update your exams. To update a particular exam you have already activated and downloaded, simply click the Tools tab and click the Update Products button. Again, this is only an issue with the desktop Windows application. If you wish to check for updates to the Pearson Test Prep exam engine software, Windows desktop version, simply click the Tools tab and click the Update Application button. This ensures that you are running the latest version of the software engine. From the Library of William Timothy Ray Murray This page intentionally left blank From the Library of William Timothy Ray Murray CHAPTER 1 Cybersecurity Fundamentals This chapter covers the following topics: Introduction to Cybersecurity: Cybersecurity programs recognize that organizations must be vigilant, resilient, and ready to protect and defend every ingress and egress con- nection as well as organizational data wherever it is stored, transmitted, or processed. In this chapter, you will learn concepts of cybersecurity and information security. Defining What Are Threats, Vulnerabilities, and Exploits: Describe the difference between cybersecurity threats, vulnerabilities, and exploits. Exploring Common Threats: Describe and understand the most common cybersecurity threats. Common Software and Hardware Vulnerabilities: Describe and understand the most common software and hardware vulnerabilities. Confidentiality, Integrity, and Availability: The CIA triad is a concept that was created to define security policies to protect assets. The idea is that confidentiality, integrity and availability should be guaranteed in any system that is considered secured. Cloud Security Threats: Learn about different cloud security threats and how cloud computing has changed traditional IT and is introducing several security challenges and benefits at the same time. IoT Security Threats: The proliferation of connected devices is introducing major cybersecurity risks in today’s environment. An Introduction to Digital Forensics and Incident Response: You will learn the con- cepts of digital forensics and incident response (DFIR) and cybersecurity operations. This chapter starts by introducing you to different cybersecurity concepts that are foun- dational for any individual starting a career in cybersecurity or network security. You will learn the difference between cybersecurity threats, vulnerabilities, and exploits. You will also explore the most common cybersecurity threats, as well as common software and hardware vulnerabilities. You will learn the details about the CIA triad—confidentiality, integrity, and availability. In this chapter, you will learn about different cloud security and IoT security threats. This chapter concludes with an introduction to DFIR and security operations. The following SCOR 350-701 exam objectives are covered in this chapter: 1.1 Explain common threats against on-premises and cloud environments 1.1.a On-premises: viruses, Trojans, DoS/DDoS attacks, phishing, rootkits, man-in-the-middle attacks, SQL injection, cross-site scripting, malware From the Library of William Timothy Ray Murray 1.1.b Cloud: data breaches, insecure APIs, DoS/DDoS, compromised credentials 1.2 Compare common security vulnerabilities such as software bugs, weak and/or hardcoded passwords, SQL injection, missing encryption, buffer overflow, path traversal, cross-site scripting/forgery 1.5 Describe security intelligence authoring, sharing, and consumption 1.6 Explain the role of the endpoint in protecting humans from phishing and social engineering attacks “Do I Know This Already?” Quiz The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 1-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and Q&A Sections.” Table 1-1 “Do I Know This Already?” Section-to-Question Mapping Foundation Topics Section Questions Introduction to Cybersecurity 1 Defining What Are Threats, Vulnerabilities, and Exploits 2–6 Common Software and Hardware Vulnerabilities 7–10 Confidentiality, Integrity, and Availability 11–13 Cloud Security Threats 14–15 IoT Security Threats 16–17 An Introduction to Digital Forensics and Incident Response 18 CAUTION The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark that question as wrong for purposes of the self-assessment. Giving yourself credit for an answer you incorrectly guess skews your self-assessment results and might provide you with a false sense of security. 1. Which of the following is a collection of industry standards and best practices to help organizations manage cybersecurity risks? a. MITRE b. NIST Cybersecurity Framework c. ISO Cybersecurity Framework d. CERT/cc From the Library of William Timothy Ray Murray 4 CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide 2. _________ is any potential danger to an asset. a. Vulnerability b. Threat c. Exploit d. None of these answers are correct. 3. A ___________ is a weakness in the system design, implementation, software, or code, or the lack of a mechanism. a. Vulnerability b. Threat c. Exploit d. None of these answers are correct. 4. Which of the following is a piece of software, a tool, a technique, or a process that takes advantage of a vulnerability that leads to access, privilege escalation, loss of integrity, or denial of service on a computer system? a. Exploit b. Reverse shell c. Searchsploit d. None of these answers are correct. 5. Which of the following is referred to as the knowledge about an existing or emerging threat to assets, including networks and systems? a. Exploits b. Vulnerabilities c. Threat assessment d. Threat intelligence 6. Which of the following are examples of malware attack and propagation mechanisms? a. Master boot record infection b. File infector c. Macro infector d. All of these answers are correct. 7. Vulnerabilities are typically identified by a ___________. a. CVE b. CVSS c. PSIRT d. None of these answers are correct. 8. SQL injection attacks can be divided into which of the following categories? a. Blind SQL injection b. Out-of-band SQL injection c. In-band SQL injection d. All of these answers are correct. From the Library of William Timothy Ray Murray Chapter 1: Cybersecurity Fundamentals 5 9. Which of the following is a type of vulnerability where the flaw is in a web application but the attack is against an end user (client)? 1 a. XXE b. HTML injection c. SQL injection d. XSS 10. Which of the following is a way for an attacker to perform a session hijack attack? a. Predicting session tokens b. Session sniffing c. Man-in-the-middle attack d. Man-in-the-browser attack e. All of these answers are correct. 11. A denial-of-service attack impacts which of the following? a. Integrity b. Availability c. Confidentiality d. None of these answers are correct. 12. Which of the following are examples of security mechanisms designed to preserve confidentiality? a. Logical and physical access controls b. Encryption c. Controlled traffic routing d. All of these answers are correct. 13. An attacker is able to manipulate the configuration of a router by stealing the adminis- trator credential. This attack impacts which of the following? a. Integrity b. Session keys c. Encryption d. None of these answers are correct. 14. Which of the following is a cloud deployment model? a. Public cloud b. Community cloud c. Private cloud d. All of these answers are correct. 15. Which of the following cloud models include all phases of the system development life cycle (SDLC) and can use application programming interfaces (APIs), website portals, or gateway software? a. SaaS b. PaaS c. SDLC containers d. None of these answers are correct. From the Library of William Timothy Ray Murray 6 CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide 16. Which of the following is not a communications protocol used in IoT environments? a. Zigbee b. INSTEON c. LoRaWAN d. 802.1X 17. Which of the following is an example of tools and methods to hack IoT devices? a. UART debuggers b. JTAG analyzers c. IDA d. Ghidra e. All of these answers are correct. 18. Which of the following is an adverse event that threatens business security and/or disrupts service? a. An incident b. An IPS alert c. A DLP alert d. A SIEM alert Foundation Topics Introduction to Cybersecurity In today’s highly interconnected world, our individual and collective actions can have a pro- found impact, either for good or for ill. It is in this context that cybersecurity plays a crucial role, safeguarding not only our personal data but also our economy, critical infrastructure, and national security against the risks posed by inadvertent or intentional misuse, compro- mise, or destruction of information and information systems. However, the scope of cybersecurity risk extends beyond just data breaches to encompass the entire organization’s operations that rely on digitization and accessibility, making it more crucial than ever for businesses to develop an effective cybersecurity program. It is no lon- ger sufficient to delegate this responsibility solely to the IT team; rather, every individual within an organization must take an active role in mitigating these risks, from entry-level employees to the board of directors. Developing and maintaining robust cybersecurity measures are vital aspects of organiza- tional strategy in today’s digital landscape. By doing so, we can ensure that our information systems remain secure and that our collective actions lead to positive outcomes for all. Cybersecurity vs. Information Security (InfoSec) Many individuals confuse traditional information security with cybersecurity. In the past, information security programs and policies were designed to protect the confidentiality, integrity, and availability of data within the confines of an organization. Unfortunately, this is no longer sufficient. Organizations are rarely self-contained, and the price of interconnec- tivity is exposure to attack. Every organization, regardless of size or geographic location, is a potential target. Cybersecurity is the process of protecting information by preventing, detecting, and responding to attacks. From the Library of William Timothy Ray Murray Chapter 1: Cybersecurity Fundamentals 7 Cybersecurity programs recognize that organizations must be vigilant, resilient, and ready to protect and defend every ingress and egress connection as well as organizational data wher- 1 ever it is stored, transmitted, or processed. Cybersecurity programs and policies expand and build upon traditional information security programs, but also include the following: Cyber risk management and oversight Threat intelligence and information sharing Third-party organization, software, and hardware dependency management Incident response and resiliency Threat hunting and adversarial emulation The NIST Cybersecurity Framework The National Institute of Standards and Technology (NIST) is a well-known organization tha