CCNP Security 350-701 Reddit Questions

To implement external authentication against Active Directory, the Cisco ISE server needs to communicate with the domain controller using either RADIUS or LDAP protocols. RADIUS is used for network access control, while LDAP is used for identity management and directory services. Both protocols require the appropriate ports to be opened and firewall rules to be configured to allow the traffic between the ISE server and the domain controller.

The ISE account does not need to be a domain administrator in Active Directory to perform JOIN operations. It only needs to have the permissions to create computer objects and reset passwords in the domain. This can be achieved by delegating the rights to a specific OU or using a service account with limited privileges.

Active Directory supports user and machine authentication by using various methods, not only MSCHAPv2. MSCHAPv2 is a challenge-response authentication protocol that is commonly used with RADIUS and VPN connections. However, Active Directory also supports other protocols such as Kerberos, NTLM, EAP, and PEAP, depending on the scenario and the client capabilities.

Explanation

We choose “Chat and Instant Messaging” category in “URL Category”:

To block certain URLs we need to choose URL Reputation from 6 to 10.

The Cisco ASA and the Cisco IOS router with Zone-Based Policy Firewall (ZFW) have different default behaviors when it comes to traffic filtering. The Cisco ASA follows a default deny-all policy that prohibits traffic between firewall security zones until an explicit policy is applied to allow desirable traffic1. The Cisco IOS router with ZFW, on the other hand, starts out by allowing all traffic, even on untrusted interfaces, until a zone-pair policy is applied to restrict or inspect traffic2. This means that the Cisco ASA provides a higher level of security by default, while the Cisco IOS router with ZFW requires more configuration to harden the router. However, the Cisco IOS router with ZFW also offers more flexibility and granularity in defining firewall policies, as well as more advanced features such as DMVPN, GET VPN, and Policy-Based Routing, which are not supported by the Cisco ASA23. References:

2: IOS Firewall vs. ASA - Cisco Community

1: Understand the Zone-Based Policy Firewall Design - Cisco

4: What is a functional difference between a Cisco ASA and a Cisco IOS router with Zone-based policy firewall?

5: What is a functional difference between a Cisco ASA and Cisco IOS router with Zone-based policy firewall?

3: Cisco Zone-Based Firewall Reporting – Plixer

Workload security models refer to the ways of protecting applications, services, and capabilities that run on a cloud resource. There are different types of cloud deployment models, such as public, private, hybrid, and multicloud, and different types of cloud service models, such as IaaS, PaaS, and SaaS. However, these are not workload security models, but rather ways of describing the cloud environment and the level of abstraction. Workload security models are more focused on the location and ownership of the workloads, and how they are secured. The two main workload security models are off-premises and on-premises. Off-premises workload security model means that the workloads are hosted and managed by a third-party cloud service provider, such as AWS, Azure, or GCP. The cloud service provider is responsible for the security of the underlying infrastructure, such as the physical servers, network devices, storage systems, and hypervisors. The customer is responsible for the security of the workloads themselves, such as the guest operating systems, applications, data, and users. The customer can use various tools and techniques to secure their workloads, such as encryption, firewalls, identity and access management, vulnerability scanning, and logging and monitoring. On-premises workload security model means that the workloads are hosted and managed by the customer on their own data center or private cloud. The customer is responsible for the security of both the infrastructure and the workloads, and has full control and visibility over them. The customer can use similar tools and techniques as the off-premises model, but also has to deal with the physical security, network security, and compliance requirements of their own environment. References:

What Is Workload Security? On-Premises, Cloud, Kubernetes, and More

What is Cloud Workload Security? - CyberArk

What is Cloud Workload Protection? | Workload Security | VMware

What is Cloud Workload Security? - Check Point Software

Introduction To Classic Security Models - GeeksforGeeks