CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023)
CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide (2023) ensures you are exam-ready with expert-curated content.
Ava Martinez
Contributor
4.3
52
about 2 months ago
Preview (31 of 837)
Sign in to access the full document!
Companion Website and Pearson Test Prep
Access Code
Access interactive study tools on this book’s companion website, including practice test software,
review exercises, a Key Term flash card application, a study planner, and more!
To access the companion website, simply follow these steps:
1. Go to ciscopress.com/register.
2. Enter the print book ISBN: 9780138221263.
3. Answer the security question to validate your purchase.
4. Go to your account page.
5. Click on the Registered Products tab.
6. Under the book listing, click on the Access Bonus Content link.
When you register your book, your Pearson Test Prep practice test access code will automatically
be populated in your account under the Registered Products tab. You will need this code to access
the practice test that comes with this book. You can redeem the code at PearsonTestPrep.com.
Simply choose Pearson IT Certification as your product group and log in to the site with the same
credentials you used to register your book. Click the Activate New Product button and enter the
access code. More detailed instructions on how to redeem your access code for both the online
and desktop versions can be found on the companion website.
If you have any issues accessing the companion website or obtaining your Pearson
Test Prep practice test access code, you can contact our support team by going to
pearsonitp.echelp.org.
Access Code
Access interactive study tools on this book’s companion website, including practice test software,
review exercises, a Key Term flash card application, a study planner, and more!
To access the companion website, simply follow these steps:
1. Go to ciscopress.com/register.
2. Enter the print book ISBN: 9780138221263.
3. Answer the security question to validate your purchase.
4. Go to your account page.
5. Click on the Registered Products tab.
6. Under the book listing, click on the Access Bonus Content link.
When you register your book, your Pearson Test Prep practice test access code will automatically
be populated in your account under the Registered Products tab. You will need this code to access
the practice test that comes with this book. You can redeem the code at PearsonTestPrep.com.
Simply choose Pearson IT Certification as your product group and log in to the site with the same
credentials you used to register your book. Click the Activate New Product button and enter the
access code. More detailed instructions on how to redeem your access code for both the online
and desktop versions can be found on the companion website.
If you have any issues accessing the companion website or obtaining your Pearson
Test Prep practice test access code, you can contact our support team by going to
pearsonitp.echelp.org.
Companion Website and Pearson Test Prep
Access Code
Access interactive study tools on this book’s companion website, including practice test software,
review exercises, a Key Term flash card application, a study planner, and more!
To access the companion website, simply follow these steps:
1. Go to ciscopress.com/register.
2. Enter the print book ISBN: 9780138221263.
3. Answer the security question to validate your purchase.
4. Go to your account page.
5. Click on the Registered Products tab.
6. Under the book listing, click on the Access Bonus Content link.
When you register your book, your Pearson Test Prep practice test access code will automatically
be populated in your account under the Registered Products tab. You will need this code to access
the practice test that comes with this book. You can redeem the code at PearsonTestPrep.com.
Simply choose Pearson IT Certification as your product group and log in to the site with the same
credentials you used to register your book. Click the Activate New Product button and enter the
access code. More detailed instructions on how to redeem your access code for both the online
and desktop versions can be found on the companion website.
If you have any issues accessing the companion website or obtaining your Pearson
Test Prep practice test access code, you can contact our support team by going to
pearsonitp.echelp.org.
Access Code
Access interactive study tools on this book’s companion website, including practice test software,
review exercises, a Key Term flash card application, a study planner, and more!
To access the companion website, simply follow these steps:
1. Go to ciscopress.com/register.
2. Enter the print book ISBN: 9780138221263.
3. Answer the security question to validate your purchase.
4. Go to your account page.
5. Click on the Registered Products tab.
6. Under the book listing, click on the Access Bonus Content link.
When you register your book, your Pearson Test Prep practice test access code will automatically
be populated in your account under the Registered Products tab. You will need this code to access
the practice test that comes with this book. You can redeem the code at PearsonTestPrep.com.
Simply choose Pearson IT Certification as your product group and log in to the site with the same
credentials you used to register your book. Click the Activate New Product button and enter the
access code. More detailed instructions on how to redeem your access code for both the online
and desktop versions can be found on the companion website.
If you have any issues accessing the companion website or obtaining your Pearson
Test Prep practice test access code, you can contact our support team by going to
pearsonitp.echelp.org.
This page intentionally left blank
Loading page 4...
Cisco Press
Hoboken, New Jersey
CCNP and
CCIE
Security
Core
SCOR 350-701
Official Cert Guide,
2nd Edition
OMAR SANTOS
Hoboken, New Jersey
CCNP and
CCIE
Security
Core
SCOR 350-701
Official Cert Guide,
2nd Edition
OMAR SANTOS
Loading page 5...
iv CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide
CCNP and CCIE Security Core
SCOR 350-701 Official Cert Guide,
2nd Edition
Omar Santos
Copyright © 2024 Cisco Systems, Inc.
Published by:
Cisco Press
All rights reserved. This publication is protected by copyright, and permission must be obtained from the
publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form
or by any means, electronic, mechanical, photocopying, recording, or likewise. For information regarding
permissions, request forms, and the appropriate contacts within the Pearson Education Global Rights &
Permissions Department, please visit www.pearson.com/permissions.
No patent liability is assumed with respect to the use of the information contained herein. Although
every precaution has been taken in the preparation of this book, the publisher and author assume no
responsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use of
the information contained herein.
$PrintCode
Library of Congress Control Number: 2023914718
ISBN-13: 978-0-13-822126-3
ISBN-10: 0-13-822126-X
Warning and Disclaimer
This book is designed to provide information about the Implementing and Operating Cisco Security Core
Technologies (SCOR 350-701) exam. Every effort has been made to make this book as complete and accu-
rate as possible, but no warranty or fitness is implied. The information provided is on an “as is” basis. The
author and the publisher shall have neither liability nor responsibility to any person or entity with respect
to any loss or damages arising from the information contained in this book or from the use of the supple-
mental online content or programs accompanying it.
Trademark Acknowledgments
All terms mentioned in this book that are known to be trademarks or service marks have been appropri-
ately capitalized. Cisco Press cannot attest to the accuracy of this information. Use of a term in this book
should not be regarded as affecting the validity of any trademark or service mark.
Special Sales
For information about buying this title in bulk quantities, or for special sales opportunities (which may
include electronic versions; custom cover designs; and content particular to your business, training goals,
marketing focus, or branding interests), please contact our corporate sales department at corpsales@pear-
soned.com or (800) 382-3419.
For government sales inquiries, please contact governmentsales@pearsoned.com.
For questions about sales outside the U.S., please contact intlcs@pearson.com.
CCNP and CCIE Security Core
SCOR 350-701 Official Cert Guide,
2nd Edition
Omar Santos
Copyright © 2024 Cisco Systems, Inc.
Published by:
Cisco Press
All rights reserved. This publication is protected by copyright, and permission must be obtained from the
publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form
or by any means, electronic, mechanical, photocopying, recording, or likewise. For information regarding
permissions, request forms, and the appropriate contacts within the Pearson Education Global Rights &
Permissions Department, please visit www.pearson.com/permissions.
No patent liability is assumed with respect to the use of the information contained herein. Although
every precaution has been taken in the preparation of this book, the publisher and author assume no
responsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use of
the information contained herein.
$PrintCode
Library of Congress Control Number: 2023914718
ISBN-13: 978-0-13-822126-3
ISBN-10: 0-13-822126-X
Warning and Disclaimer
This book is designed to provide information about the Implementing and Operating Cisco Security Core
Technologies (SCOR 350-701) exam. Every effort has been made to make this book as complete and accu-
rate as possible, but no warranty or fitness is implied. The information provided is on an “as is” basis. The
author and the publisher shall have neither liability nor responsibility to any person or entity with respect
to any loss or damages arising from the information contained in this book or from the use of the supple-
mental online content or programs accompanying it.
Trademark Acknowledgments
All terms mentioned in this book that are known to be trademarks or service marks have been appropri-
ately capitalized. Cisco Press cannot attest to the accuracy of this information. Use of a term in this book
should not be regarded as affecting the validity of any trademark or service mark.
Special Sales
For information about buying this title in bulk quantities, or for special sales opportunities (which may
include electronic versions; custom cover designs; and content particular to your business, training goals,
marketing focus, or branding interests), please contact our corporate sales department at corpsales@pear-
soned.com or (800) 382-3419.
For government sales inquiries, please contact governmentsales@pearsoned.com.
For questions about sales outside the U.S., please contact intlcs@pearson.com.
Loading page 6...
v
Feedback Information
At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book
is crafted with care and precision, undergoing rigorous development that involves the unique expertise of
members from the professional technical community.
Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we
could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us
through email at feedback@ciscopress.com. Please make sure to include the book title and ISBN in your
message.
We greatly appreciate your assistance.
Vice President, IT Professional: Mark Taub Copy Editors: Bart Reed and Chuck Hutchinson
Director, ITP Product Management: Brett Bartow Alliances Manager, Cisco Press: Jaci Featherly;
James Risler
Technical Editor: John Stuppi Executive Editor: James Manly
Designer: Chuti Prasertsith Managing Editor: Sandra Schroeder
Composition: codeMantra Development Editor: Christopher A. Cleveland
Indexer: Erika Millen Senior Project Editor: Mandie Frank
Proofreader: Donna E. Mulder Editorial Assistant: Cindy Teeters
Americas Headquarters
Cisco Systems, Inc.
San Jose, CA
Asia Pacific Headquarters
Cisco Systems (USA) Pte. Ltd.
Singapore
Europe Headquarters
Cisco Systems International BV Amsterdam,
The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go
to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply
a partnership relationship between Cisco and any other company. (1110R)
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks,
go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does
not imply a partnership relationship between Cisco and any other company. (1110R)
Americas Headquarters
Cisco Systems, Inc.
San Jose, CA
Asia Pacific Headquarters
Cisco Systems (USA) Pte. Ltd.
Singapore
Europe Headquarters
Cisco Systems International BV Amsterdam,
The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
Feedback Information
At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book
is crafted with care and precision, undergoing rigorous development that involves the unique expertise of
members from the professional technical community.
Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we
could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us
through email at feedback@ciscopress.com. Please make sure to include the book title and ISBN in your
message.
We greatly appreciate your assistance.
Vice President, IT Professional: Mark Taub Copy Editors: Bart Reed and Chuck Hutchinson
Director, ITP Product Management: Brett Bartow Alliances Manager, Cisco Press: Jaci Featherly;
James Risler
Technical Editor: John Stuppi Executive Editor: James Manly
Designer: Chuti Prasertsith Managing Editor: Sandra Schroeder
Composition: codeMantra Development Editor: Christopher A. Cleveland
Indexer: Erika Millen Senior Project Editor: Mandie Frank
Proofreader: Donna E. Mulder Editorial Assistant: Cindy Teeters
Americas Headquarters
Cisco Systems, Inc.
San Jose, CA
Asia Pacific Headquarters
Cisco Systems (USA) Pte. Ltd.
Singapore
Europe Headquarters
Cisco Systems International BV Amsterdam,
The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go
to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply
a partnership relationship between Cisco and any other company. (1110R)
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks,
go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does
not imply a partnership relationship between Cisco and any other company. (1110R)
Americas Headquarters
Cisco Systems, Inc.
San Jose, CA
Asia Pacific Headquarters
Cisco Systems (USA) Pte. Ltd.
Singapore
Europe Headquarters
Cisco Systems International BV Amsterdam,
The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
Loading page 7...
vi CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide
Pearson’s Commitment to Diversity, Equity,
and Inclusion
Pearson is dedicated to creating bias-free content that reflects the diversity of all learners.
We embrace the many dimensions of diversity, including but not limited to race, ethnic-
ity, gender, socioeconomic status, ability, age, sexual orientation, and religious or political
beliefs.
Education is a powerful force for equity and change in our world. It has the potential to
deliver opportunities that improve lives and enable economic mobility. As we work with
authors to create content for every product and service, we acknowledge our responsibil-
ity to demonstrate inclusivity and incorporate diverse scholarship so that everyone can
achieve their potential through learning. As the world’s leading learning company, we have
a duty to help drive change and live up to our purpose to help more people create a
better life for themselves and to create a better world.
Our ambition is to purposefully contribute to a world where
■ Everyone has an equitable and lifelong opportunity to succeed through learning
■ Our educational products and services are inclusive and represent the rich diversity
of learners
■ Our educational content accurately reflects the histories and experiences of the
learners we serve
■ Our educational content prompts deeper discussions with learners and motivates
them to expand their own learning (and worldview)
While we work hard to present unbiased content, we want to hear from you about any
concerns or needs with this Pearson product so that we can investigate and address them.
Please contact us with concerns about any potential bias at https://www.pearson.com/
report-bias.html.
Pearson’s Commitment to Diversity, Equity,
and Inclusion
Pearson is dedicated to creating bias-free content that reflects the diversity of all learners.
We embrace the many dimensions of diversity, including but not limited to race, ethnic-
ity, gender, socioeconomic status, ability, age, sexual orientation, and religious or political
beliefs.
Education is a powerful force for equity and change in our world. It has the potential to
deliver opportunities that improve lives and enable economic mobility. As we work with
authors to create content for every product and service, we acknowledge our responsibil-
ity to demonstrate inclusivity and incorporate diverse scholarship so that everyone can
achieve their potential through learning. As the world’s leading learning company, we have
a duty to help drive change and live up to our purpose to help more people create a
better life for themselves and to create a better world.
Our ambition is to purposefully contribute to a world where
■ Everyone has an equitable and lifelong opportunity to succeed through learning
■ Our educational products and services are inclusive and represent the rich diversity
of learners
■ Our educational content accurately reflects the histories and experiences of the
learners we serve
■ Our educational content prompts deeper discussions with learners and motivates
them to expand their own learning (and worldview)
While we work hard to present unbiased content, we want to hear from you about any
concerns or needs with this Pearson product so that we can investigate and address them.
Please contact us with concerns about any potential bias at https://www.pearson.com/
report-bias.html.
Loading page 8...
vii
Credits
Figure 1-4: United States Department of Defense
Figure 1-6: Webgoat SQL Injection
Figure 1-1, Figure 1-2: OffSec Services Limited
Figure 3-27-Figure 3-30: Python Software Foundation
Figure 9-11: Amazon Web Services
Figure 9-14-Figure 9-16: Docker Inc
Figure 9-19-Figure 9-21: Google Inc
Figure 10-2: Apple Inc
Credits
Figure 1-4: United States Department of Defense
Figure 1-6: Webgoat SQL Injection
Figure 1-1, Figure 1-2: OffSec Services Limited
Figure 3-27-Figure 3-30: Python Software Foundation
Figure 9-11: Amazon Web Services
Figure 9-14-Figure 9-16: Docker Inc
Figure 9-19-Figure 9-21: Google Inc
Figure 10-2: Apple Inc
Loading page 9...
viii CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide
About the Author
Omar Santos is a cybersecurity thought leader with a passion for driving industry-wide
initiatives to enhance the security of critical infrastructures. Omar is the lead of the
DEF CON Red Team Village, the chair of the Common Security Advisory Framework
(CSAF) technical committee, and board member of the OASIS Open standards
organization. Omar’s collaborative efforts extend to numerous organizations, including
the Forum of Incident Response and Security Teams (FIRST) and the Industry Consor-
tium for Advancement of Security on the Internet (ICASI).
Omar is a renowned expert in ethical hacking, vulnerability research, incident response,
and AI security. He employs his deep understanding of these disciplines to help orga-
nizations stay ahead of emerging threats. His dedication to cybersecurity has made a
significant impact on businesses, academic institutions, law enforcement agencies, and
other entities striving to bolster their security measures. Omar is currently leading several
Artificial Intelligence (AI) security research efforts at the Cisco Security and Trust
Organization (STO).
With over twenty books, video courses, white papers, and technical articles under his
belt, Omar’s expertise is widely recognized and respected. As a principal engineer at
Cisco’s Product Security Incident Response Team (PSIRT), Omar not only leads engineers
and incident managers in investigating and resolving cybersecurity vulnerabilities, but
also actively mentors the next generation of security professionals. You can follow Omar
on Twitter @santosomar.
About the Author
Omar Santos is a cybersecurity thought leader with a passion for driving industry-wide
initiatives to enhance the security of critical infrastructures. Omar is the lead of the
DEF CON Red Team Village, the chair of the Common Security Advisory Framework
(CSAF) technical committee, and board member of the OASIS Open standards
organization. Omar’s collaborative efforts extend to numerous organizations, including
the Forum of Incident Response and Security Teams (FIRST) and the Industry Consor-
tium for Advancement of Security on the Internet (ICASI).
Omar is a renowned expert in ethical hacking, vulnerability research, incident response,
and AI security. He employs his deep understanding of these disciplines to help orga-
nizations stay ahead of emerging threats. His dedication to cybersecurity has made a
significant impact on businesses, academic institutions, law enforcement agencies, and
other entities striving to bolster their security measures. Omar is currently leading several
Artificial Intelligence (AI) security research efforts at the Cisco Security and Trust
Organization (STO).
With over twenty books, video courses, white papers, and technical articles under his
belt, Omar’s expertise is widely recognized and respected. As a principal engineer at
Cisco’s Product Security Incident Response Team (PSIRT), Omar not only leads engineers
and incident managers in investigating and resolving cybersecurity vulnerabilities, but
also actively mentors the next generation of security professionals. You can follow Omar
on Twitter @santosomar.
Loading page 10...
ix
About the Technical Reviewer
John Stuppi, CCIE No. 11154, is a Technical Leader in the Security & Trust Organization
(S&TO) at Cisco where he consults Cisco customers on protecting their networks against
existing and emerging cyber security threats, risks, and vulnerabilities. Current projects
include working with newly acquired entities to integrate them into Cisco’s PSIRT
Vulnerability Management processes and advising some of Cisco’s most strategic custom-
ers on vulnerability management and risk assessment. John has presented multiple times
on various network security topics at Cisco Live, Black Hat, as well as other customer-
facing cyber security conferences. John is also the co-author of the CCNA Security
210-260 Official Cert Guide published by Cisco Press. Additionally, John has contrib-
uted to the Cisco Security Portal through the publication of white papers, Security Blog
posts, and Cyber Risk Report articles. Prior to joining Cisco, John worked as a network
engineer for JPMorgan and then as a network security engineer at Time, Inc., with both
positions based in New York City. John is also a CISSP (#25525) and holds AWS Cloud
Practitioner and Information Systems Security (INFOSEC) Professional Certifications. In
addition, John has a BSEE from Lehigh University and an MBA from Rutgers University.
John splits his time between Eatontown, New Jersey and Clemson, South Carolina with
his wife, son, daughter, and his dog.
About the Technical Reviewer
John Stuppi, CCIE No. 11154, is a Technical Leader in the Security & Trust Organization
(S&TO) at Cisco where he consults Cisco customers on protecting their networks against
existing and emerging cyber security threats, risks, and vulnerabilities. Current projects
include working with newly acquired entities to integrate them into Cisco’s PSIRT
Vulnerability Management processes and advising some of Cisco’s most strategic custom-
ers on vulnerability management and risk assessment. John has presented multiple times
on various network security topics at Cisco Live, Black Hat, as well as other customer-
facing cyber security conferences. John is also the co-author of the CCNA Security
210-260 Official Cert Guide published by Cisco Press. Additionally, John has contrib-
uted to the Cisco Security Portal through the publication of white papers, Security Blog
posts, and Cyber Risk Report articles. Prior to joining Cisco, John worked as a network
engineer for JPMorgan and then as a network security engineer at Time, Inc., with both
positions based in New York City. John is also a CISSP (#25525) and holds AWS Cloud
Practitioner and Information Systems Security (INFOSEC) Professional Certifications. In
addition, John has a BSEE from Lehigh University and an MBA from Rutgers University.
John splits his time between Eatontown, New Jersey and Clemson, South Carolina with
his wife, son, daughter, and his dog.
Loading page 11...
x CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide
Dedication
I would like to dedicate this book to my lovely wife, Jeannette, and my two beautiful
children, Hannah and Derek, who have inspired and supported me throughout the
development of this book.
Dedication
I would like to dedicate this book to my lovely wife, Jeannette, and my two beautiful
children, Hannah and Derek, who have inspired and supported me throughout the
development of this book.
Loading page 12...
xi
Acknowledgments
I would like to thank the technical editor and my good friend, John Stuppi, for his time
and technical expertise.
I would like to thank the Cisco Press team, especially James Manly and Christopher
Cleveland, for their patience, guidance, and consideration.
Finally, I would like to thank Cisco and the Cisco Product Security Incident Response
Team (PSIRT), Security and Trust Organization for enabling me to constantly learn and
achieve many goals throughout all these years.
Acknowledgments
I would like to thank the technical editor and my good friend, John Stuppi, for his time
and technical expertise.
I would like to thank the Cisco Press team, especially James Manly and Christopher
Cleveland, for their patience, guidance, and consideration.
Finally, I would like to thank Cisco and the Cisco Product Security Incident Response
Team (PSIRT), Security and Trust Organization for enabling me to constantly learn and
achieve many goals throughout all these years.
Loading page 13...
xii CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide
Contents at a Glance
Introduction xxxi
Chapter 1 Cybersecurity Fundamentals 2
Chapter 2 Cryptography 80
Chapter 3 Software-Defined Networking Security and Network
Programmability 110
Chapter 4 Authentication, Authorization, Accounting (AAA) and Identity
Management 156
Chapter 5 Network Visibility and Segmentation 232
Chapter 6 Infrastructure Security 316
Chapter 7 Cisco Secure Firewall 410
Chapter 8 Virtual Private Networks (VPNs) 490
Chapter 9 Securing the Cloud 578
Chapter 10 Content Security 638
Chapter 11 Endpoint Protection and Detection 672
Chapter 12 Final Preparation 696
Chapter 13
CCNP and CCIE Security Core SCOR (350-701) Exam Updates 698
Appendix A Answers to the “Do I Know This Already?” Quizzes and Q&A
Sections 702
Glossary 714
Index 732
Online Element
Appendix B Study Planner
Contents at a Glance
Introduction xxxi
Chapter 1 Cybersecurity Fundamentals 2
Chapter 2 Cryptography 80
Chapter 3 Software-Defined Networking Security and Network
Programmability 110
Chapter 4 Authentication, Authorization, Accounting (AAA) and Identity
Management 156
Chapter 5 Network Visibility and Segmentation 232
Chapter 6 Infrastructure Security 316
Chapter 7 Cisco Secure Firewall 410
Chapter 8 Virtual Private Networks (VPNs) 490
Chapter 9 Securing the Cloud 578
Chapter 10 Content Security 638
Chapter 11 Endpoint Protection and Detection 672
Chapter 12 Final Preparation 696
Chapter 13
CCNP and CCIE Security Core SCOR (350-701) Exam Updates 698
Appendix A Answers to the “Do I Know This Already?” Quizzes and Q&A
Sections 702
Glossary 714
Index 732
Online Element
Appendix B Study Planner
Loading page 14...
xiii
Contents
Introduction xxxi
Chapter 1 Cybersecurity Fundamentals 2
“Do I Know This Already?” Quiz 3
Foundation Topics 6
Introduction to Cybersecurity 6
Cybersecurity vs. Information Security (InfoSec) 6
The NIST Cybersecurity Framework 7
Additional NIST Guidance and Documents 7
The International Organization for Standardization (ISO) 8
Defining What Are Threats, Vulnerabilities, and Exploits 8
What Is a Threat? 8
What Is a Vulnerability? 9
What Is an Exploit? 10
Risk, Assets, Threats, and Vulnerabilities 12
Defining Threat Actors 13
Understanding What Threat Intelligence Is 14
Viruses and Worms 16
Types and Transmission Methods 16
Malware Payloads 17
Trojans 18
Trojan Types 18
Trojan Ports and Communication Methods 19
Trojan Goals 20
Trojan Infection Mechanisms 21
Effects of Trojans 22
Distributing Malware 22
Ransomware 23
Covert Communication 24
Keyloggers 26
Spyware 27
Analyzing Malware 28
Static Analysis 28
Dynamic Analysis 29
Contents
Introduction xxxi
Chapter 1 Cybersecurity Fundamentals 2
“Do I Know This Already?” Quiz 3
Foundation Topics 6
Introduction to Cybersecurity 6
Cybersecurity vs. Information Security (InfoSec) 6
The NIST Cybersecurity Framework 7
Additional NIST Guidance and Documents 7
The International Organization for Standardization (ISO) 8
Defining What Are Threats, Vulnerabilities, and Exploits 8
What Is a Threat? 8
What Is a Vulnerability? 9
What Is an Exploit? 10
Risk, Assets, Threats, and Vulnerabilities 12
Defining Threat Actors 13
Understanding What Threat Intelligence Is 14
Viruses and Worms 16
Types and Transmission Methods 16
Malware Payloads 17
Trojans 18
Trojan Types 18
Trojan Ports and Communication Methods 19
Trojan Goals 20
Trojan Infection Mechanisms 21
Effects of Trojans 22
Distributing Malware 22
Ransomware 23
Covert Communication 24
Keyloggers 26
Spyware 27
Analyzing Malware 28
Static Analysis 28
Dynamic Analysis 29
Loading page 15...
xiv CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide
Common Software and Hardware Vulnerabilities 31
Injection Vulnerabilities 31
SQL Injection 31
HTML Injection 33
Command Injection 33
Authentication-based Vulnerabilities 33
Credential Brute-Force Attacks and Password Cracking 34
Session Hijacking 35
Default Credentials 35
Insecure Direct Object Reference Vulnerabilities 35
Cross-site Scripting (XSS) 36
Cross-site Request Forgery 38
Server-side Request Forgery 38
Cookie Manipulation Attacks 39
Race Conditions 39
Unprotected APIs 39
Typical Attacks Against Artificial Intelligence (AI) and Machine
Learning 40
Return-to-LibC Attacks and Buffer Overflows 41
OWASP Top 10 42
Security Vulnerabilities in Open-Source Software 42
Confidentiality, Integrity, and Availability 43
What Is Confidentiality? 43
What Is Integrity? 45
What Is Availability? 46
Talking About Availability, What Is a Denial-of-Service (DoS) Attack? 46
Access Control Management 48
Cloud Security Threats 50
Cloud Computing Issues and Concerns 51
Cloud Computing Attacks 53
Cloud Computing Security 53
IoT Security Threats 54
IoT Protocols 56
Hacking IoT Implementations 57
An Introduction to Digital Forensics and Incident Response 58
ISO/IEC 27002:2013 and NIST Incident Response Guidance 58
What Is an Incident? 59
Common Software and Hardware Vulnerabilities 31
Injection Vulnerabilities 31
SQL Injection 31
HTML Injection 33
Command Injection 33
Authentication-based Vulnerabilities 33
Credential Brute-Force Attacks and Password Cracking 34
Session Hijacking 35
Default Credentials 35
Insecure Direct Object Reference Vulnerabilities 35
Cross-site Scripting (XSS) 36
Cross-site Request Forgery 38
Server-side Request Forgery 38
Cookie Manipulation Attacks 39
Race Conditions 39
Unprotected APIs 39
Typical Attacks Against Artificial Intelligence (AI) and Machine
Learning 40
Return-to-LibC Attacks and Buffer Overflows 41
OWASP Top 10 42
Security Vulnerabilities in Open-Source Software 42
Confidentiality, Integrity, and Availability 43
What Is Confidentiality? 43
What Is Integrity? 45
What Is Availability? 46
Talking About Availability, What Is a Denial-of-Service (DoS) Attack? 46
Access Control Management 48
Cloud Security Threats 50
Cloud Computing Issues and Concerns 51
Cloud Computing Attacks 53
Cloud Computing Security 53
IoT Security Threats 54
IoT Protocols 56
Hacking IoT Implementations 57
An Introduction to Digital Forensics and Incident Response 58
ISO/IEC 27002:2013 and NIST Incident Response Guidance 58
What Is an Incident? 59
Loading page 16...
Contents xv
False Positives, False Negatives, True Positives, and True Negatives 60
Incident Severity Levels 60
How Are Incidents Reported? 61
What Is an Incident Response Program? 62
The Incident Response Plan 62
The Incident Response Process 63
Tabletop Exercises and Playbooks 65
Information Sharing and Coordination 66
Computer Security Incident Response Teams 67
Product Security Incident Response Teams (PSIRTs) 69
The Common Vulnerability Scoring System (CVSS) 69
The Stakeholder-Specific Vulnerability Categorization (SSVC) 73
National CSIRTs and Computer Emergency Response Teams (CERTs) 74
Coordination Centers 74
Incident Response Providers and Managed Security Service Providers
(MSSPs) 75
Key Incident Management Personnel 75
Summary 76
Exam Preparation Tasks 76
Review All Key Topics 76
Define Key Terms 78
Review Questions 78
Chapter 2 Cryptography 80
“Do I Know This Already?” Quiz 80
Foundation Topics 82
Introduction to Cryptography 82
Ciphers 82
Keys 83
Block and Stream Ciphers 84
Symmetric and Asymmetric Algorithms 84
Hashes 86
Hashed Message Authentication Code 89
Digital Signatures 90
Key Management 92
Next-Generation Encryption Protocols 92
IPsec 93
False Positives, False Negatives, True Positives, and True Negatives 60
Incident Severity Levels 60
How Are Incidents Reported? 61
What Is an Incident Response Program? 62
The Incident Response Plan 62
The Incident Response Process 63
Tabletop Exercises and Playbooks 65
Information Sharing and Coordination 66
Computer Security Incident Response Teams 67
Product Security Incident Response Teams (PSIRTs) 69
The Common Vulnerability Scoring System (CVSS) 69
The Stakeholder-Specific Vulnerability Categorization (SSVC) 73
National CSIRTs and Computer Emergency Response Teams (CERTs) 74
Coordination Centers 74
Incident Response Providers and Managed Security Service Providers
(MSSPs) 75
Key Incident Management Personnel 75
Summary 76
Exam Preparation Tasks 76
Review All Key Topics 76
Define Key Terms 78
Review Questions 78
Chapter 2 Cryptography 80
“Do I Know This Already?” Quiz 80
Foundation Topics 82
Introduction to Cryptography 82
Ciphers 82
Keys 83
Block and Stream Ciphers 84
Symmetric and Asymmetric Algorithms 84
Hashes 86
Hashed Message Authentication Code 89
Digital Signatures 90
Key Management 92
Next-Generation Encryption Protocols 92
IPsec 93
Loading page 17...
xvi CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide
Post-Quantum Cryptography 93
SSL and TLS 95
Fundamentals of PKI 97
Public and Private Key Pairs 97
More About Keys and Digital Certificates 97
Certificate Authorities 98
Root Certificates 99
Identity Certificates 101
X.500 and X.509v3 101
Authenticating and Enrolling with the CA 102
Public Key Cryptography Standards 103
Simple Certificate Enrollment Protocol 103
Revoking Digital Certificates 103
Digital Certificates in Practice 104
PKI Topologies 105
Single Root CA 105
Hierarchical CA with Subordinate CAs 105
Cross-Certifying CAs 106
Exam Preparation Tasks 106
Review All Key Topics 106
Define Key Terms 107
Review Questions 107
Chapter 3 Software-Defined Networking Security and Network
Programmability 110
“Do I Know This Already?” Quiz 110
Foundation Topics 112
Software-Defined Networking (SDN) and SDN Security 112
Traditional Networking Planes 113
So What’s Different with SDN? 114
Introduction to the Cisco ACI Solution 114
VXLAN and Network Overlays 116
Micro-Segmentation 118
Open-Source Initiatives 120
More About Network Function Virtualization 121
NFV MANO 123
Contiv 123
Post-Quantum Cryptography 93
SSL and TLS 95
Fundamentals of PKI 97
Public and Private Key Pairs 97
More About Keys and Digital Certificates 97
Certificate Authorities 98
Root Certificates 99
Identity Certificates 101
X.500 and X.509v3 101
Authenticating and Enrolling with the CA 102
Public Key Cryptography Standards 103
Simple Certificate Enrollment Protocol 103
Revoking Digital Certificates 103
Digital Certificates in Practice 104
PKI Topologies 105
Single Root CA 105
Hierarchical CA with Subordinate CAs 105
Cross-Certifying CAs 106
Exam Preparation Tasks 106
Review All Key Topics 106
Define Key Terms 107
Review Questions 107
Chapter 3 Software-Defined Networking Security and Network
Programmability 110
“Do I Know This Already?” Quiz 110
Foundation Topics 112
Software-Defined Networking (SDN) and SDN Security 112
Traditional Networking Planes 113
So What’s Different with SDN? 114
Introduction to the Cisco ACI Solution 114
VXLAN and Network Overlays 116
Micro-Segmentation 118
Open-Source Initiatives 120
More About Network Function Virtualization 121
NFV MANO 123
Contiv 123
Loading page 18...
Contents xvii
ThousandEyes Integration 124
Cisco Digital Network Architecture (DNA) 125
Cisco DNA Policies 127
Cisco DNA Group-Based Access Control Policy 129
Cisco DNA IP-Based Access Control Policy 131
Cisco DNA Application Policies 131
Cisco DNA Traffic Copy Policy 132
Cisco DNA Center Assurance Solution 133
Cisco DNA Center APIs 135
Cisco DNA Security Solution 135
Cisco DNA Multivendor Support 136
Introduction to Network Programmability 136
Modern Programming Languages and Tools 137
DevNet 140
Getting Started with APIs 140
REST APIs 141
Using Network Device APIs 145
YANG Models 145
NETCONF 147
RESTCONF 149
OpenConfig and gNMI 151
Exam Preparation Tasks 151
Review All Key Topics 151
Define Key Terms 152
Review Questions 152
Chapter 4 Authentication, Authorization, Accounting (AAA) and Identity
Management 156
“Do I Know This Already?” Quiz 157
Foundation Topics 160
Introduction to Authentication, Authorization, and Accounting 160
The Principle of Least Privilege and Separation of Duties 161
Authentication 162
Authentication by Knowledge 162
Authentication by Ownership or Possession 164
Authentication by Characteristic 164
Multifactor Authentication 165
ThousandEyes Integration 124
Cisco Digital Network Architecture (DNA) 125
Cisco DNA Policies 127
Cisco DNA Group-Based Access Control Policy 129
Cisco DNA IP-Based Access Control Policy 131
Cisco DNA Application Policies 131
Cisco DNA Traffic Copy Policy 132
Cisco DNA Center Assurance Solution 133
Cisco DNA Center APIs 135
Cisco DNA Security Solution 135
Cisco DNA Multivendor Support 136
Introduction to Network Programmability 136
Modern Programming Languages and Tools 137
DevNet 140
Getting Started with APIs 140
REST APIs 141
Using Network Device APIs 145
YANG Models 145
NETCONF 147
RESTCONF 149
OpenConfig and gNMI 151
Exam Preparation Tasks 151
Review All Key Topics 151
Define Key Terms 152
Review Questions 152
Chapter 4 Authentication, Authorization, Accounting (AAA) and Identity
Management 156
“Do I Know This Already?” Quiz 157
Foundation Topics 160
Introduction to Authentication, Authorization, and Accounting 160
The Principle of Least Privilege and Separation of Duties 161
Authentication 162
Authentication by Knowledge 162
Authentication by Ownership or Possession 164
Authentication by Characteristic 164
Multifactor Authentication 165
Loading page 19...
xviii CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide
Duo Security 166
Zero Trust and BeyondCorp 169
Single Sign-On 171
JWT 173
SSO and Federated Identity Elements 174
Authorization 177
Mandatory Access Control (MAC) 177
Discretionary Access Control (DAC) 178
Role-Based Access Control (RBAC) 178
Rule-Based Access Control 178
Attribute-Based Access Control 179
Accounting 179
Infrastructure Access Controls 179
Access Control Mechanisms 179
AAA Protocols 182
RADIUS 182
TACACS+ 184
Diameter 186
802.1X 188
Network Access Control List and Firewalling 190
VLAN ACLs 191
Security Group–Based ACL 191
Downloadable ACL 191
Cisco Identity Services Engine (ISE) 192
Cisco Platform Exchange Grid (pxGrid) 193
Cisco ISE Context and Identity Services 195
Cisco ISE Profiling Services 195
Cisco ISE Identity Services 198
Cisco ISE Authorization Rules 199
Cisco TrustSec 201
Posture Assessment 203
Change of Authorization (CoA) 204
Configuring TACACS+ Access 207
Configuring RADIUS Authentication 213
Configuring 802.1X Authentication 215
Additional Cisco ISE Design Tips 222
Duo Security 166
Zero Trust and BeyondCorp 169
Single Sign-On 171
JWT 173
SSO and Federated Identity Elements 174
Authorization 177
Mandatory Access Control (MAC) 177
Discretionary Access Control (DAC) 178
Role-Based Access Control (RBAC) 178
Rule-Based Access Control 178
Attribute-Based Access Control 179
Accounting 179
Infrastructure Access Controls 179
Access Control Mechanisms 179
AAA Protocols 182
RADIUS 182
TACACS+ 184
Diameter 186
802.1X 188
Network Access Control List and Firewalling 190
VLAN ACLs 191
Security Group–Based ACL 191
Downloadable ACL 191
Cisco Identity Services Engine (ISE) 192
Cisco Platform Exchange Grid (pxGrid) 193
Cisco ISE Context and Identity Services 195
Cisco ISE Profiling Services 195
Cisco ISE Identity Services 198
Cisco ISE Authorization Rules 199
Cisco TrustSec 201
Posture Assessment 203
Change of Authorization (CoA) 204
Configuring TACACS+ Access 207
Configuring RADIUS Authentication 213
Configuring 802.1X Authentication 215
Additional Cisco ISE Design Tips 222
Loading page 20...
Contents xix
Advice on Sizing a Cisco ISE Distributed Deployment 224
Exam Preparation Tasks 225
Review All Key Topics 225
Define Key Terms 226
Review Questions 227
Chapter 5 Network Visibility and Segmentation 232
“Do I Know This Already?” Quiz 233
Foundation Topics 236
Introduction to Network Visibility 236
NetFlow 237
The Network as a Sensor and as an Enforcer 238
What Is a Flow? 238
NetFlow for Network Security and Visibility 241
NetFlow for Anomaly Detection and DDoS Attack Mitigation 241
Data Leak Detection and Prevention 243
Incident Response, Threat Hunting, and Network Security Forensics 243
Traffic Engineering and Network Planning 248
NetFlow Versions 249
IP Flow Information Export (IPFIX) 249
IPFIX Architecture 251
Understanding IPFIX Mediators 251
IPFIX Templates 252
Option Templates 253
Understanding the Stream Control Transmission Protocol (SCTP) 254
Exploring Application Visibility and Control and NetFlow 254
Application Recognition 254
Metrics Collection and Exporting 255
NetFlow Deployment Scenarios 255
NetFlow Deployment Scenario: User Access Layer 256
NetFlow Deployment Scenario: Wireless LAN 256
NetFlow Deployment Scenario: Internet Edge 258
NetFlow Deployment Scenario: Data Center 259
NetFlow Deployment Scenario: NetFlow in Site-to-Site
and Remote VPNs 261
Cisco Secure Network Analytics and Cisco Secure Cloud Analytics 263
Cisco Secure Cloud Analytics 264
Advice on Sizing a Cisco ISE Distributed Deployment 224
Exam Preparation Tasks 225
Review All Key Topics 225
Define Key Terms 226
Review Questions 227
Chapter 5 Network Visibility and Segmentation 232
“Do I Know This Already?” Quiz 233
Foundation Topics 236
Introduction to Network Visibility 236
NetFlow 237
The Network as a Sensor and as an Enforcer 238
What Is a Flow? 238
NetFlow for Network Security and Visibility 241
NetFlow for Anomaly Detection and DDoS Attack Mitigation 241
Data Leak Detection and Prevention 243
Incident Response, Threat Hunting, and Network Security Forensics 243
Traffic Engineering and Network Planning 248
NetFlow Versions 249
IP Flow Information Export (IPFIX) 249
IPFIX Architecture 251
Understanding IPFIX Mediators 251
IPFIX Templates 252
Option Templates 253
Understanding the Stream Control Transmission Protocol (SCTP) 254
Exploring Application Visibility and Control and NetFlow 254
Application Recognition 254
Metrics Collection and Exporting 255
NetFlow Deployment Scenarios 255
NetFlow Deployment Scenario: User Access Layer 256
NetFlow Deployment Scenario: Wireless LAN 256
NetFlow Deployment Scenario: Internet Edge 258
NetFlow Deployment Scenario: Data Center 259
NetFlow Deployment Scenario: NetFlow in Site-to-Site
and Remote VPNs 261
Cisco Secure Network Analytics and Cisco Secure Cloud Analytics 263
Cisco Secure Cloud Analytics 264
Loading page 21...
xx CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide
On-Premises Monitoring with Cisco Secure Cloud Analytics 267
Cisco Secure Cloud Analytics Integration with Meraki and Cisco
Umbrella 268
Exploring the Cisco Secure Network Analytics Dashboard 268
Threat Hunting with Cisco Secure Network Analytics 270
Cisco Cognitive Intelligence and Cisco Encrypted Traffic
Analytics (ETA) 274
What Is Cisco ETA? 274
What Is Cisco Cognitive Intelligence? 274
NetFlow Collection Considerations and Best Practices 279
Determining the Flows per Second and Scalability 280
Configuring NetFlow in Cisco IOS and Cisco IOS-XE 280
Simultaneous Application Tracking 281
Flexible NetFlow Records 282
Flexible NetFlow Key Fields 282
Flexible NetFlow Non-Key Fields 284
NetFlow Predefined Records 285
User-Defined Records 286
Flow Monitors 286
Flow Exporters 286
Flow Samplers 286
Flexible NetFlow Configuration 286
Configure a Flow Record 287
Configure a Flow Monitor for IPv4 or IPv6 289
Configure a Flow Exporter for the Flow Monitor 291
Apply a Flow Monitor to an Interface 293
Flexible NetFlow IPFIX Export Format 294
Configuring NetFlow in NX-OS 295
Introduction to Network Segmentation 296
Data-Driven Segmentation 297
Application-Based Segmentation 299
Micro-Segmentation with Cisco ACI 301
Segmentation with Cisco ISE 302
The Scalable Group Tag Exchange Protocol (SXP) 303
SGT Assignment and Deployment 306
Initially Deploying 802.1X and/or TrustSec in Monitor Mode 306
Active Policy Enforcement 306
Cisco ISE TrustSec and Cisco ACI Integration 310
On-Premises Monitoring with Cisco Secure Cloud Analytics 267
Cisco Secure Cloud Analytics Integration with Meraki and Cisco
Umbrella 268
Exploring the Cisco Secure Network Analytics Dashboard 268
Threat Hunting with Cisco Secure Network Analytics 270
Cisco Cognitive Intelligence and Cisco Encrypted Traffic
Analytics (ETA) 274
What Is Cisco ETA? 274
What Is Cisco Cognitive Intelligence? 274
NetFlow Collection Considerations and Best Practices 279
Determining the Flows per Second and Scalability 280
Configuring NetFlow in Cisco IOS and Cisco IOS-XE 280
Simultaneous Application Tracking 281
Flexible NetFlow Records 282
Flexible NetFlow Key Fields 282
Flexible NetFlow Non-Key Fields 284
NetFlow Predefined Records 285
User-Defined Records 286
Flow Monitors 286
Flow Exporters 286
Flow Samplers 286
Flexible NetFlow Configuration 286
Configure a Flow Record 287
Configure a Flow Monitor for IPv4 or IPv6 289
Configure a Flow Exporter for the Flow Monitor 291
Apply a Flow Monitor to an Interface 293
Flexible NetFlow IPFIX Export Format 294
Configuring NetFlow in NX-OS 295
Introduction to Network Segmentation 296
Data-Driven Segmentation 297
Application-Based Segmentation 299
Micro-Segmentation with Cisco ACI 301
Segmentation with Cisco ISE 302
The Scalable Group Tag Exchange Protocol (SXP) 303
SGT Assignment and Deployment 306
Initially Deploying 802.1X and/or TrustSec in Monitor Mode 306
Active Policy Enforcement 306
Cisco ISE TrustSec and Cisco ACI Integration 310
Loading page 22...
Contents xxi
Exam Preparation Tasks 312
Review All Key Topics 312
Define Key Terms 313
Review Questions 314
Chapter 6 Infrastructure Security 316
“Do I Know This Already?” Quiz 317
Foundation Topics 320
Securing Layer 2 Technologies 320
VLAN and Trunking Fundamentals 320
What Is a VLAN? 321
Trunking with 802.1Q 323
Let’s Follow the Frame, Step by Step 325
What Is the Native VLAN on a Trunk? 326
So, What Do You Want to Be? (Asks the Port) 326
Understanding Inter-VLAN Routing 326
What Is the Challenge of Only Using Physical Interfaces? 326
Using Virtual “Sub” Interfaces 326
Spanning Tree Fundamentals 328
The Solution to the Layer 2 Loop 328
STP Is Wary of New Ports 331
Improving the Time Until Forwarding 332
Common Layer 2 Threats and How to Mitigate Them 333
Do Not Allow Negotiations 334
Layer 2 Security Toolkit 334
BPDU Guard 335
Root Guard 336
Port Security 336
CDP and LLDP 338
DHCP Snooping 339
Dynamic ARP Inspection 341
Network Foundation Protection 343
The Importance of the Network Infrastructure 343
The Network Foundation Protection Framework 344
Interdependence 344
Implementing NFP 344
Exam Preparation Tasks 312
Review All Key Topics 312
Define Key Terms 313
Review Questions 314
Chapter 6 Infrastructure Security 316
“Do I Know This Already?” Quiz 317
Foundation Topics 320
Securing Layer 2 Technologies 320
VLAN and Trunking Fundamentals 320
What Is a VLAN? 321
Trunking with 802.1Q 323
Let’s Follow the Frame, Step by Step 325
What Is the Native VLAN on a Trunk? 326
So, What Do You Want to Be? (Asks the Port) 326
Understanding Inter-VLAN Routing 326
What Is the Challenge of Only Using Physical Interfaces? 326
Using Virtual “Sub” Interfaces 326
Spanning Tree Fundamentals 328
The Solution to the Layer 2 Loop 328
STP Is Wary of New Ports 331
Improving the Time Until Forwarding 332
Common Layer 2 Threats and How to Mitigate Them 333
Do Not Allow Negotiations 334
Layer 2 Security Toolkit 334
BPDU Guard 335
Root Guard 336
Port Security 336
CDP and LLDP 338
DHCP Snooping 339
Dynamic ARP Inspection 341
Network Foundation Protection 343
The Importance of the Network Infrastructure 343
The Network Foundation Protection Framework 344
Interdependence 344
Implementing NFP 344
Loading page 23...
xxii CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide
Understanding and Securing the Management Plane 345
Best Practices for Securing the Management Plane 345
Understanding the Control Plane 347
Best Practices for Securing the Control Plane 347
Understanding and Securing the Data Plane 348
Best Practices for Protecting the Data Plane 349
Additional Data Plane Protection Mechanisms 349
Securing Management Traffic 350
What Is Management Traffic and the Management Plane? 350
NETCONF and RESTCONF vs. SNMP 350
Beyond the Console Cable 353
Management Plane Best Practices 354
Password Recommendations 356
Using AAA to Verify Users 357
Router Access Authentication 357
The AAA Method List 358
Role-Based Access Control 359
Custom Privilege Levels 359
Limiting the Administrator by Assigning a View 359
Encrypted Management Protocols 359
Using Logging Files 360
Understanding NTP 361
Protecting Cisco IOS, Cisco IOS-XE, Cisco IOS-XR, and Cisco NX-OS
Files 362
Implementing Security Measures to Protect the Management Plane 362
Implementing Strong Passwords 362
User Authentication with AAA 364
Using the CLI to Troubleshoot AAA for Cisco Routers 369
RBAC Privilege Level/Parser View 371
Implementing Parser Views 374
SSH and HTTPS 375
Implementing Logging Features 378
Configuring Syslog Support 378
Configuring NTP 379
Securing the Network Infrastructure Device Image and Configuration
Files 380
Securing the Data Plane in IPv6 381
Understanding and Securing the Management Plane 345
Best Practices for Securing the Management Plane 345
Understanding the Control Plane 347
Best Practices for Securing the Control Plane 347
Understanding and Securing the Data Plane 348
Best Practices for Protecting the Data Plane 349
Additional Data Plane Protection Mechanisms 349
Securing Management Traffic 350
What Is Management Traffic and the Management Plane? 350
NETCONF and RESTCONF vs. SNMP 350
Beyond the Console Cable 353
Management Plane Best Practices 354
Password Recommendations 356
Using AAA to Verify Users 357
Router Access Authentication 357
The AAA Method List 358
Role-Based Access Control 359
Custom Privilege Levels 359
Limiting the Administrator by Assigning a View 359
Encrypted Management Protocols 359
Using Logging Files 360
Understanding NTP 361
Protecting Cisco IOS, Cisco IOS-XE, Cisco IOS-XR, and Cisco NX-OS
Files 362
Implementing Security Measures to Protect the Management Plane 362
Implementing Strong Passwords 362
User Authentication with AAA 364
Using the CLI to Troubleshoot AAA for Cisco Routers 369
RBAC Privilege Level/Parser View 371
Implementing Parser Views 374
SSH and HTTPS 375
Implementing Logging Features 378
Configuring Syslog Support 378
Configuring NTP 379
Securing the Network Infrastructure Device Image and Configuration
Files 380
Securing the Data Plane in IPv6 381
Loading page 24...
Contents xxiii
Understanding and Configuring IPv6 381
The Format of an IPv6 Address 383
Understanding the Shortcuts 383
Did We Get an Extra Address? 383
IPv6 Address Types 384
Configuring IPv6 Routing 386
Moving to IPv6 388
Developing a Security Plan for IPv6 388
Best Practices Common to Both IPv4 and IPv6 388
Threats Common to Both IPv4 and IPv6 389
The Focus on IPv6 Security 390
New Potential Risks with IPv6 391
IPv6 Best Practices 393
IPv6 Access Control Lists 394
Securing Routing Protocols and the Control Plane 395
Minimizing the Impact of Control Plane Traffic on the CPU 395
Details about CoPP 397
Details about CPPr 399
Securing Routing Protocols 399
Implementing Routing Update Authentication on OSPF 400
Implementing Routing Update Authentication on EIGRP 401
Implementing Routing Update Authentication on RIP 401
Implementing Routing Update Authentication on BGP 402
Exam Preparation Tasks 404
Review All Key Topics 404
Define Key Terms 405
Review Questions 405
Chapter 7 Cisco Secure Firewall 410
“Do I Know This Already?” Quiz 410
Foundation Topics 413
Introduction to Cisco Secure Firewall 413
Cisco Firewall History and Legacy 413
Introducing the Cisco ASA 414
The Cisco ASA FirePOWER Module 414
Cisco Secure Firewall: Formerly known as Cisco Firepower Threat Defense
(FTD) 415
Understanding and Configuring IPv6 381
The Format of an IPv6 Address 383
Understanding the Shortcuts 383
Did We Get an Extra Address? 383
IPv6 Address Types 384
Configuring IPv6 Routing 386
Moving to IPv6 388
Developing a Security Plan for IPv6 388
Best Practices Common to Both IPv4 and IPv6 388
Threats Common to Both IPv4 and IPv6 389
The Focus on IPv6 Security 390
New Potential Risks with IPv6 391
IPv6 Best Practices 393
IPv6 Access Control Lists 394
Securing Routing Protocols and the Control Plane 395
Minimizing the Impact of Control Plane Traffic on the CPU 395
Details about CoPP 397
Details about CPPr 399
Securing Routing Protocols 399
Implementing Routing Update Authentication on OSPF 400
Implementing Routing Update Authentication on EIGRP 401
Implementing Routing Update Authentication on RIP 401
Implementing Routing Update Authentication on BGP 402
Exam Preparation Tasks 404
Review All Key Topics 404
Define Key Terms 405
Review Questions 405
Chapter 7 Cisco Secure Firewall 410
“Do I Know This Already?” Quiz 410
Foundation Topics 413
Introduction to Cisco Secure Firewall 413
Cisco Firewall History and Legacy 413
Introducing the Cisco ASA 414
The Cisco ASA FirePOWER Module 414
Cisco Secure Firewall: Formerly known as Cisco Firepower Threat Defense
(FTD) 415
Loading page 25...
xxiv CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide
Cisco Secure Firewall 415
Cisco Secure Firewall Migration Tool 415
Cisco Secure Firewall Threat Defense Virtual 416
Cisco Secure Firewall Cloud Native 417
Cisco Secure Firewall ISA3000 418
Cisco Secure WAF and Bot Protection 419
SD-WAN, Firewall Capabilities, and the Cisco Integrated Services Routers
(ISRs) 419
Introduction to Cisco Secure Intrusion Prevention (NGIPS) 421
Surveying the Cisco Secure Firewall Management Center (FMC) 423
Cisco SecureX 426
Exploring the Cisco Firepower Device Manager (FDM) 429
Cisco Defense Orchestrator 433
Comparing Network Security Solutions That Provide Firewall
Capabilities 435
Deployment Modes of Network Security Solutions and Architectures That
Provide Firewall Capabilities 437
Routed vs. Transparent Firewalls 437
Security Contexts 438
Single-Mode Transparent Firewalls 439
Surveying the Cisco Secure Firewall Deployment Modes 441
Cisco Secure Firewall Interface Modes 442
Inline Pair 445
Inline Pair with Tap 445
Passive Mode 446
Passive with ERSPAN Mode 447
Additional Cisco Secure Firewall Deployment Design Considerations 447
High Availability and Clustering 448
Clustering 450
Implementing Access Control 452
Implementing Access Control Lists in Cisco ASA 452
Cisco ASA Application Inspection 458
To-the-Box Traffic Filtering in the Cisco ASA 459
Object Grouping and Other ACL Features 460
Standard ACLs 461
Time-Based ACLs 461
ICMP Filtering in the Cisco ASA 462
Cisco Secure Firewall 415
Cisco Secure Firewall Migration Tool 415
Cisco Secure Firewall Threat Defense Virtual 416
Cisco Secure Firewall Cloud Native 417
Cisco Secure Firewall ISA3000 418
Cisco Secure WAF and Bot Protection 419
SD-WAN, Firewall Capabilities, and the Cisco Integrated Services Routers
(ISRs) 419
Introduction to Cisco Secure Intrusion Prevention (NGIPS) 421
Surveying the Cisco Secure Firewall Management Center (FMC) 423
Cisco SecureX 426
Exploring the Cisco Firepower Device Manager (FDM) 429
Cisco Defense Orchestrator 433
Comparing Network Security Solutions That Provide Firewall
Capabilities 435
Deployment Modes of Network Security Solutions and Architectures That
Provide Firewall Capabilities 437
Routed vs. Transparent Firewalls 437
Security Contexts 438
Single-Mode Transparent Firewalls 439
Surveying the Cisco Secure Firewall Deployment Modes 441
Cisco Secure Firewall Interface Modes 442
Inline Pair 445
Inline Pair with Tap 445
Passive Mode 446
Passive with ERSPAN Mode 447
Additional Cisco Secure Firewall Deployment Design Considerations 447
High Availability and Clustering 448
Clustering 450
Implementing Access Control 452
Implementing Access Control Lists in Cisco ASA 452
Cisco ASA Application Inspection 458
To-the-Box Traffic Filtering in the Cisco ASA 459
Object Grouping and Other ACL Features 460
Standard ACLs 461
Time-Based ACLs 461
ICMP Filtering in the Cisco ASA 462
Loading page 26...
Contents xxv
Network Address Translation in Cisco ASA 463
Cisco ASA Auto NAT 469
Implementing Access Control Policies in the Cisco Firepower Threat
Defense 469
Cisco Firepower Intrusion Policies 472
Variables 475
Platform Settings Policy 476
Cisco NGIPS Preprocessors 476
Cisco Secure Malware Defense 478
Security Intelligence, Security Updates, and Keeping Firepower Software Up
to Date 483
Security Intelligence Updates 484
Keeping Software Up to Date 484
Exam Preparation Tasks 484
Review All Key Topics 485
Define Key Terms 486
Review Questions 486
Chapter 8 Virtual Private Networks (VPNs) 490
“Do I Know This Already?” Quiz 490
Foundation Topics 494
Virtual Private Network (VPN) Fundamentals 494
An Overview of IPsec 496
IKEv1 Phase 1 496
IKEv1 Phase 2 498
NAT Traversal (NAT-T) 501
IKEv2 501
SSL VPNs 503
Cisco Secure Client Mobility 504
Deploying and Configuring Site-to-Site VPNs in Cisco Routers 506
Traditional Site-to-Site VPNs in Cisco IOS and Cisco IOS-XE Devices 506
Tunnel Interfaces 508
GRE over IPsec 508
More About Tunnel Interfaces 510
Multipoint GRE (mGRE) Tunnels 512
DMVPN 512
GETVPN 515
FlexVPN 518
Network Address Translation in Cisco ASA 463
Cisco ASA Auto NAT 469
Implementing Access Control Policies in the Cisco Firepower Threat
Defense 469
Cisco Firepower Intrusion Policies 472
Variables 475
Platform Settings Policy 476
Cisco NGIPS Preprocessors 476
Cisco Secure Malware Defense 478
Security Intelligence, Security Updates, and Keeping Firepower Software Up
to Date 483
Security Intelligence Updates 484
Keeping Software Up to Date 484
Exam Preparation Tasks 484
Review All Key Topics 485
Define Key Terms 486
Review Questions 486
Chapter 8 Virtual Private Networks (VPNs) 490
“Do I Know This Already?” Quiz 490
Foundation Topics 494
Virtual Private Network (VPN) Fundamentals 494
An Overview of IPsec 496
IKEv1 Phase 1 496
IKEv1 Phase 2 498
NAT Traversal (NAT-T) 501
IKEv2 501
SSL VPNs 503
Cisco Secure Client Mobility 504
Deploying and Configuring Site-to-Site VPNs in Cisco Routers 506
Traditional Site-to-Site VPNs in Cisco IOS and Cisco IOS-XE Devices 506
Tunnel Interfaces 508
GRE over IPsec 508
More About Tunnel Interfaces 510
Multipoint GRE (mGRE) Tunnels 512
DMVPN 512
GETVPN 515
FlexVPN 518
Loading page 27...
xxvi CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide
Debug and Show Commands to Verify and Troubleshoot IPsec
Tunnels 522
Configuring Site-to-Site VPNs in Cisco ASA Firewalls 528
Step 1: Enable ISAKMP in the Cisco ASA 529
Step 2: Create the ISAKMP Policy 529
Step 3: Set Up the Tunnel Groups 530
Step 4: Define the IPsec Policy 531
Step 5: Create the Crypto Map in the Cisco ASA 532
Step 6: Configure Traffic Filtering (Optional) 534
Step 7: Bypass NAT (Optional) 534
Step 8: Enable Perfect Forward Secrecy (Optional) 535
Additional Attributes in Cisco Site-to-Site VPN Configurations 535
Configuring Remote-Access VPNs in the Cisco ASA 537
Configuring IPsec Remote-Access VPN in the Cisco ASA 538
Configuring Clientless Remote Access SSL VPNs in the Cisco ASA 540
Cisco ASA Remote-Access VPN Design Considerations 541
Pre-SSL VPN Configuration Steps 542
Understanding the Remote-Access VPN Attributes and Policy Inheritance
Model 544
Configuring Clientless SSL VPN Group Policies 544
Configuring the Tunnel Group for Clientless SSL VPN 545
Configuring User Authentication for Clientless SSL VPN 546
Enabling Clientless SSL VPN 548
Configuring WebType ACLs 549
Configuring Application Access in Clientless SSL VPNs 550
Configuring Client-Based Remote-Access SSL VPNs in the Cisco ASA 551
Setting Up Tunnel and Group Policies 552
Deploying the Cisco Secure Client 553
Understanding Split Tunneling 554
Understanding DTLS 555
Configuring Remote-Access VPNs in Cisco Secure Firewall 556
Using the Remote Access VPN Policy Wizard 557
Troubleshooting Cisco Secure Firewall Remote-Access VPN
Implementations 566
Configuring Site-to-Site VPNs in the Cisco Secure Firewall 567
Cisco SD-WAN 569
Debug and Show Commands to Verify and Troubleshoot IPsec
Tunnels 522
Configuring Site-to-Site VPNs in Cisco ASA Firewalls 528
Step 1: Enable ISAKMP in the Cisco ASA 529
Step 2: Create the ISAKMP Policy 529
Step 3: Set Up the Tunnel Groups 530
Step 4: Define the IPsec Policy 531
Step 5: Create the Crypto Map in the Cisco ASA 532
Step 6: Configure Traffic Filtering (Optional) 534
Step 7: Bypass NAT (Optional) 534
Step 8: Enable Perfect Forward Secrecy (Optional) 535
Additional Attributes in Cisco Site-to-Site VPN Configurations 535
Configuring Remote-Access VPNs in the Cisco ASA 537
Configuring IPsec Remote-Access VPN in the Cisco ASA 538
Configuring Clientless Remote Access SSL VPNs in the Cisco ASA 540
Cisco ASA Remote-Access VPN Design Considerations 541
Pre-SSL VPN Configuration Steps 542
Understanding the Remote-Access VPN Attributes and Policy Inheritance
Model 544
Configuring Clientless SSL VPN Group Policies 544
Configuring the Tunnel Group for Clientless SSL VPN 545
Configuring User Authentication for Clientless SSL VPN 546
Enabling Clientless SSL VPN 548
Configuring WebType ACLs 549
Configuring Application Access in Clientless SSL VPNs 550
Configuring Client-Based Remote-Access SSL VPNs in the Cisco ASA 551
Setting Up Tunnel and Group Policies 552
Deploying the Cisco Secure Client 553
Understanding Split Tunneling 554
Understanding DTLS 555
Configuring Remote-Access VPNs in Cisco Secure Firewall 556
Using the Remote Access VPN Policy Wizard 557
Troubleshooting Cisco Secure Firewall Remote-Access VPN
Implementations 566
Configuring Site-to-Site VPNs in the Cisco Secure Firewall 567
Cisco SD-WAN 569
Loading page 28...
Contents xxvii
Exam Preparation Tasks 573
Review All Key Topics 573
Define Key Terms 574
Review Questions 575
Chapter 9 Securing the Cloud 578
“Do I Know This Already?” Quiz 579
Foundation Topics 581
What Is Cloud and What Are the Cloud Service Models? 581
DevOps, Continuous Integration (CI), Continuous Delivery (CD), and
DevSecOps 583
The Waterfall Development Methodology 583
The Agile Methodology 583
DevOps 586
CI/CD Pipelines 588
The Serverless Buzzword 589
Container Orchestration 592
A Quick Introduction to Containers and Docker 592
Kubernetes 597
Microservices and Micro-Segmentation 602
DevSecOps 603
Describing the Customer vs. Provider Security Responsibility for the Different
Cloud Service Models 605
Patch Management in the Cloud 607
Security Assessment in the Cloud and Questions to Ask Your Cloud
Service Provider 607
Cisco Umbrella 608
The Cisco Umbrella Architecture 609
Secure Internet Gateway 610
Cisco Umbrella Investigate 612
Cisco Secure Email Threat Defense 614
Forged Email Detection 614
Sender Policy Framework 615
Email Encryption 615
Cisco Secure Email Threat Defense for Office 365 615
Cisco Attack Surface Management (Formerly Cisco Secure Cloud
Insights) 616
Cisco Secure Cloud Analytics 618
Exam Preparation Tasks 573
Review All Key Topics 573
Define Key Terms 574
Review Questions 575
Chapter 9 Securing the Cloud 578
“Do I Know This Already?” Quiz 579
Foundation Topics 581
What Is Cloud and What Are the Cloud Service Models? 581
DevOps, Continuous Integration (CI), Continuous Delivery (CD), and
DevSecOps 583
The Waterfall Development Methodology 583
The Agile Methodology 583
DevOps 586
CI/CD Pipelines 588
The Serverless Buzzword 589
Container Orchestration 592
A Quick Introduction to Containers and Docker 592
Kubernetes 597
Microservices and Micro-Segmentation 602
DevSecOps 603
Describing the Customer vs. Provider Security Responsibility for the Different
Cloud Service Models 605
Patch Management in the Cloud 607
Security Assessment in the Cloud and Questions to Ask Your Cloud
Service Provider 607
Cisco Umbrella 608
The Cisco Umbrella Architecture 609
Secure Internet Gateway 610
Cisco Umbrella Investigate 612
Cisco Secure Email Threat Defense 614
Forged Email Detection 614
Sender Policy Framework 615
Email Encryption 615
Cisco Secure Email Threat Defense for Office 365 615
Cisco Attack Surface Management (Formerly Cisco Secure Cloud
Insights) 616
Cisco Secure Cloud Analytics 618
Loading page 29...
xxviii CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide
AppDynamics Cloud Monitoring 619
Cisco Secure Workload 622
Cisco Secure Workload Agents 622
Application Dependency Mapping 622
Cisco Secure Workload Forensics Feature 623
Cisco Secure Workload Security Dashboard 623
Cisco XDR 627
Introducing the XDR Concept 627
Exploring the Cisco XDR Solution 628
Cisco XDR Threat Intelligence and Automation 632
Exam Preparation Tasks 632
Review All Key Topics 633
Define Key Terms 634
Review Questions 634
Chapter 10 Content Security 638
“Do I Know This Already?” Quiz 638
Foundation Topics 641
Content Security Fundamentals 641
Cisco Async Operating System (AsyncOS) 642
Cisco Secure Web Appliance 642
The Cisco Secure Web Appliance Proxy 643
Cisco Secure Web Appliance in Explicit Forward Mode 644
Cisco Secure Web Appliance in Transparent Mode 646
Configuring WCCP in a Cisco ASA to Redirect Web Traffic to a Cisco
Secure Web Appliance 647
Configuring WCCP on a Cisco Switch 649
Configuring the Cisco Secure Web Appliance to Accept WCCP
Redirection 650
Traffic Redirection with Policy-Based Routing 651
Cisco Secure Web Appliance Security Services 652
Deploying Web Proxy IP Spoofing 653
Configuring Policies in the Cisco Secure Web Appliance 653
Cisco Secure Web Appliance Reports 655
Cisco Secure Email 658
Reviewing a Few Email Concepts 658
Cisco Secure Email Deployment 659
AppDynamics Cloud Monitoring 619
Cisco Secure Workload 622
Cisco Secure Workload Agents 622
Application Dependency Mapping 622
Cisco Secure Workload Forensics Feature 623
Cisco Secure Workload Security Dashboard 623
Cisco XDR 627
Introducing the XDR Concept 627
Exploring the Cisco XDR Solution 628
Cisco XDR Threat Intelligence and Automation 632
Exam Preparation Tasks 632
Review All Key Topics 633
Define Key Terms 634
Review Questions 634
Chapter 10 Content Security 638
“Do I Know This Already?” Quiz 638
Foundation Topics 641
Content Security Fundamentals 641
Cisco Async Operating System (AsyncOS) 642
Cisco Secure Web Appliance 642
The Cisco Secure Web Appliance Proxy 643
Cisco Secure Web Appliance in Explicit Forward Mode 644
Cisco Secure Web Appliance in Transparent Mode 646
Configuring WCCP in a Cisco ASA to Redirect Web Traffic to a Cisco
Secure Web Appliance 647
Configuring WCCP on a Cisco Switch 649
Configuring the Cisco Secure Web Appliance to Accept WCCP
Redirection 650
Traffic Redirection with Policy-Based Routing 651
Cisco Secure Web Appliance Security Services 652
Deploying Web Proxy IP Spoofing 653
Configuring Policies in the Cisco Secure Web Appliance 653
Cisco Secure Web Appliance Reports 655
Cisco Secure Email 658
Reviewing a Few Email Concepts 658
Cisco Secure Email Deployment 659
Loading page 30...
Contents xxix
Cisco Secure Email Listeners 660
SenderBase 660
The Recipient Access Table (RAT) 661
Cisco Secure Email Data Loss Prevention 661
SMTP Authentication and Encryption 661
Domain Keys Identified Mail (DKIM) 662
Cisco Content Security Management Appliance (SMA) 662
Exam Preparation Tasks 667
Review All Key Topics 668
Define Key Terms 668
Review Questions 669
Chapter 11 Endpoint Protection and Detection 672
“Do I Know This Already?” Quiz 672
Foundation Topics 674
Introduction to Endpoint Protection and Detection 674
Endpoint Threat Detection and Response (ETDR) and Endpoint Detection
and Response (EDR) 676
Cisco Secure Endpoint 676
Outbreak Control 677
IP Blacklists and Whitelists 681
Cisco Secure Endpoint Application Control 683
Exclusion Sets 684
Cisco Secure Endpoint Connectors 687
Cisco Secure Endpoint Policies 687
Cisco Secure Client AMP Enabler 688
Cisco Secure Endpoint Engines 689
Cisco Secure Endpoint Reporting 690
Cisco Threat Response 693
Exam Preparation Tasks 693
Review All Key Topics 693
Define Key Terms 694
Review Questions 694
Chapter 12 Final Preparation 696
Hands-on Activities 696
Suggested Plan for Final Review and Study 696
Summary 697
Cisco Secure Email Listeners 660
SenderBase 660
The Recipient Access Table (RAT) 661
Cisco Secure Email Data Loss Prevention 661
SMTP Authentication and Encryption 661
Domain Keys Identified Mail (DKIM) 662
Cisco Content Security Management Appliance (SMA) 662
Exam Preparation Tasks 667
Review All Key Topics 668
Define Key Terms 668
Review Questions 669
Chapter 11 Endpoint Protection and Detection 672
“Do I Know This Already?” Quiz 672
Foundation Topics 674
Introduction to Endpoint Protection and Detection 674
Endpoint Threat Detection and Response (ETDR) and Endpoint Detection
and Response (EDR) 676
Cisco Secure Endpoint 676
Outbreak Control 677
IP Blacklists and Whitelists 681
Cisco Secure Endpoint Application Control 683
Exclusion Sets 684
Cisco Secure Endpoint Connectors 687
Cisco Secure Endpoint Policies 687
Cisco Secure Client AMP Enabler 688
Cisco Secure Endpoint Engines 689
Cisco Secure Endpoint Reporting 690
Cisco Threat Response 693
Exam Preparation Tasks 693
Review All Key Topics 693
Define Key Terms 694
Review Questions 694
Chapter 12 Final Preparation 696
Hands-on Activities 696
Suggested Plan for Final Review and Study 696
Summary 697
Loading page 31...
28 more pages available. Scroll down to load them.
Preview Mode
Sign in to access the full document!
100%
Study Now!
XY-Copilot AI
Unlimited Access
Secure Payment
Instant Access
24/7 Support
AI Assistant
Document Details
Subject
Cisco Certified Network Professional