Pass 350-701 Exam Guide

 Cisco Identity Services Engine (ISE) and AnyConnect Posture module are the best solution to ensure that all endpoints are compliant before users are allowed access on the corporate network. ISE is a policy-based platform that provides secure network access, identity management, and endpoint compliance. AnyConnect Posture module is a component of the AnyConnect Secure Mobility Client that performs posture assessment and remediation on the endpoints. Together, they can enforce policies based on the endpoint’s compliance status, such as the presence and update of the corporate antivirus application and the Windows 10 build version. The administrator can configure posture requirements, profiles, and policies on ISE, and deploy them to the endpoints through AnyConnect. The endpoints will then report their posture status to ISE, which will grant or deny network access accordingly, or redirect them to a remediation portal if needed. References :

 Cisco ISE supports two types of WebAuth for BYOD: central WebAuth and local WebAuth. Central WebAuth is the default method and it uses the ISE portal to authenticate the users and redirect them to the BYOD portal. Local WebAuth is an alternative method that uses the network access device (NAD) portal to authenticate the users and then redirects them to the ISE BYOD portal. Both methods require the configuration of a guest component on ISE, which is used to create the BYOD portal and the guest user accounts. The guest component also provides the self-service onboarding and registration features for the BYOD users. The dual component is not related to BYOD, but rather to the dual-SSID method, which uses two separate SSIDs for provisioning and access. The null WebAuth component is not a valid option for BYOD. References :=

Some possible references are:

Cisco ISE BYOD Prescriptive Deployment Guide

Configure Single SSID Wireless BYOD on Windows and ISE

Cisco ISE for BYOD and Secure Unified Access, 2nd Edition

The service password-encryption command is used to encrypt all passwords in the router configuration file, such as the enable password, the console password, the vty password, and the username password. This command prevents credentials from being seen if the router configuration was compromised, for example, by an attacker who gained access to the router or the backup files. The encryption used by this command is a weak algorithm that can be easily reversed, but it provides some level of protection against casual observers1.

The other commands are not used to encrypt passwords in the router configuration file. The username privilege 15 password and the username password commands are used to create local user accounts with or without administrative privileges, respectively. These commands store the passwords in clear text unless the service password-encryption command is enabled2. The service password-recovery command is used to enable or disable the password recovery mechanism on the router. This command does not affect the encryption of passwords in the configuration file3.

References := 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Security Concepts, Lesson 1.2: Securing Network Devices, Topic 1.2.1: Device Hardening, page 1-14. 2: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Security Concepts, Lesson 1.2: Securing Network Devices, Topic 1.2.2: Management Plane Security, page 1-17. 3: Cisco IOS Configuration Fundamentals Command Reference, Release 12.2, Chapter: service password-recovery, page 1.

Cross-site scripting (XSS) is a web security vulnerability that allows an attacker to inject malicious code into a web page that is viewed by other users. XSS can compromise the user’s interaction with the web application, steal sensitive data, perform unauthorized actions, and more. To prevent XSS, web developers need to apply various defensive techniques to ensure that user-supplied data is not interpreted as code by the browser. Two of these techniques are:

Incorporate contextual output encoding/escaping: This means that any user-supplied data that is displayed on the web page should be properly encoded or escaped according to the context where it appears. For example, if the data is inserted into an HTML attribute, it should be HTML attribute encoded; if the data is inserted into a JavaScript string, it should be JavaScript string encoded; and so on. This prevents the data from breaking out of its intended context and being executed as code by the browser. Output encoding should be done by using a reliable library or framework that supports different contexts and encodings.

Run untrusted HTML input through an HTML sanitization engine: This means that any user-supplied data that is intended to contain HTML markup should be filtered and validated by a sanitization engine that removes or escapes any potentially dangerous elements, attributes, or scripts. This prevents the attacker from injecting malicious HTML code that can execute scripts, load external resources, redirect the user, or perform other malicious actions. HTML sanitization should be done by using a well-tested and maintained library or framework that follows the best practices and standards for HTML filtering.

References :=

[Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0], Module 5: Securing the Cloud, Lesson 5.2: Web Application Security, Topic 5.2.2: Cross-Site Scripting (XSS)

Cross Site Scripting Prevention Cheat Sheet - OWASP

What is cross-site scripting (XSS) and how to prevent it? - Web Security Academy