Cisco Designing Cisco Security Infrastructure 300-745 SDSI Exam Questions

Answer : A

When moving security closer to the data, the endpoint becomes the final perimeter. A host-based firewall is a software component that runs directly on the endpoint's operating system (Windows, macOS, or Linux). While the company already has Next-Generation Firewalls (NGFWs) at the network edge, those devices cannot protect endpoints from threats originating within the same local network segment (East-West traffic) or when the device is used outside the corporate office.

Implementing a host-based firewall provides a critical layer of defense-in-depth. It allows security administrators to enforce strict inbound and outbound traffic rules based on applications and services specific to that device. For example, it can prevent a compromised laptop from scanning other devices on a public Wi-Fi network. In the Cisco ecosystem, this is often achieved through the Cisco Secure Client (AnyConnect) using the Network Visibility Module (NVM) or integrated endpoint security suites.

While a Distributed Firewall (Option C) is used for micro-segmentation within data centers/clouds and a Web Application Firewall (WAF) (Option B) protects servers from web-based attacks, only a host-based firewall meets the requirement for traffic filtering directly on the diverse array of endpoint devices. This approach ensures that even if the network edge is bypassed, the individual host remains hardened against lateral movement and unauthorized communication.

Answer : B

In a microservices-based architecture, applications are typically packaged into containers to ensure consistency across different environments. According to the Designing Cisco Security Infrastructure (SDSI) objectives, securing the software development lifecycle (SDLC) requires integrating security checks as far 'left' as possible. Container scanning is the specific technique used during the build phase to inspect container images for known software vulnerabilities (CVEs) within the bundled libraries, binaries, and dependencies.

When a developer initiates a build, the container scanning tool cross-references the layers of the image against vulnerability databases. If a high-risk vulnerability is detected in a base image or a third-party library, the build can be automatically failed, preventing the vulnerable code from ever reaching the registry or production environment. This directly addresses the product manager's goal of ensuring known vulnerabilities are not introduced. While Secret Detection (Option A) is vital for finding leaked API keys or passwords, and Infrastructure as Code (IaC) scanning (Option C) ensures the environment configuration is secure, neither specifically targets the software vulnerabilities within the application package itself. Similarly, Open API specification analysis (Option D) focuses on the contract and security of the interface rather than the underlying software vulnerabilities. By implementing container scanning, organizations align with Cisco's DevSecOps framework, which emphasizes automated, policy-driven security within the CI/CD pipeline to maintain the integrity of cloud-native applications.

Answer : C

For a financial company, protecting 'data at rest' is a critical requirement of the Cisco Security Infrastructure blueprint. While physical security and BIOS-level protections have their place, Data encryption on disk (such as BitLocker, FileVault, or hardware-encrypted drives) is the only solution that fulfills the requirement of rendering the actual data unreadable if the device is lost or stolen.

Disk encryption uses cryptographic algorithms to transform readable data into ciphertext. Without the correct decryption key---which is typically released only after successful user authentication---the data remains a meaningless string of characters even if the hard drive is removed and connected to a different machine. A Kensington Lock (Option A) is a physical deterrent to prevent theft but does not protect the data if the lock is cut or the device is stolen. A BIOS password (Option B) can prevent the OS from booting but does not stop an attacker from reading the data directly from the storage media. GPS tracking (Option D) helps in recovery but does not prevent unauthorized data access in the interim. Implementing full-disk encryption aligns with the Cisco SAFE principle of pervasive data protection and ensures compliance with financial regulations regarding the safeguarding of sensitive client information on mobile endpoints.

========

Answer : D

In the provided exhibit of the Cisco Data Loss Prevention (DLP) Policy interface (likely within Cisco Umbrella or a similar cloud security gateway), the reason for the policy's failure to stop the upload is clearly visible in the 'Action' column. The rule named 'ChatGPT Source Code' is currently configured with the action set to Monitor.

According to the Cisco SDSI v1.0 objectives regarding application and data security, the Monitor action is designed for visibility and auditing. It allows the traffic to pass through while generating a log entry for security analysts to review. This is often used during an initial 'discovery' phase to understand how data is moving without disrupting business processes. However, to fulfill the requirement of preventing the unauthorized upload of sensitive data---such as application source code---the policy must be enforcement-centric.

By selecting Option D, the developer changes the action from 'Monitor' to Block. In 'Block' mode, the DLP engine will actively intercept the web request to ChatGPT, inspect the content for 'Source Code' classifications, and drop the connection if a match is found, thereby preventing the data from leaving the corporate environment. While moving rules (Option B) can resolve conflicts if a 'Block' rule is superseded by an 'Allow' rule higher in the list, the primary issue here is the non-restrictive action of the specific rule itself. Modifying data classifications (Option C) is unnecessary if the engine is already correctly identifying the source code, as evidenced by the successful monitoring logs mentioned in the scenario. Changing the action to Block is the definitive step to ensure data integrity and prevent intellectual property theft.

Answer : D

In the architecture of a modern secure infrastructure, achieving least privilege is a foundational requirement, especially for a financial institution where data sensitivity is high. Role-Based Access Control (RBAC) is the specific methodology used to restrict network access based on the roles of individual users within an enterprise. By implementing RBAC, the security team can ensure that employees only have access to the specific network segments and resources necessary for their job functions, effectively minimizing the internal attack surface.

Within the Cisco Security ecosystem, RBAC is often operationalized through tools like Cisco Identity Services Engine (ISE) using Scalable Group Tags (SGTs). Instead of relying on static IP addresses or complex Access Control Lists (ACLs) that are difficult to maintain across different segments, RBAC allows for dynamic policy enforcement. For example, a 'Financial Auditor' role would automatically be granted access to the accounting segment but blocked from the development segment, regardless of where they plug into the network. While PKI (Option C) provides strong authentication and encryption, and NetFlow (Option A) provides visibility, neither inherently defines the 'least privilege' permission structure. RBAC is the architectural approach that directly maps business requirements to technical access policies, ensuring that security is maintained across segmented environments as required by the Cisco SDSI objectives for secure infrastructure design.

========

Answer : C

According to the Cisco Security Incident Response lifecycle and the NIST SP 800-61 standards referenced in the SDSI objectives, the very first step in responding to a third-party vulnerability disclosure is Identification and Validation. Before a team can patch, notify stakeholders, or monitor for exploits, they must perform an asset inventory check to confirm whether the specific vulnerable version of the product is actually running within their environment.

In a complex CI/CD pipeline, multiple tools and versions coexist. Jumping straight to patching (Option D) without validation can lead to unnecessary downtime or 'breaking' integrated workflows if the vulnerability doesn't actually apply to the version in use. Similarly, using an IDS (Option A) is a detection/monitoring step that follows the confirmation of risk. Notifying customers (Option B) is a later phase in the incident response process, usually reserved for confirmed breaches or significant service impacts. By confirming the presence and version of the software first, the security team can accurately assess the blast radius and prioritize remediation efforts based on the actual risk to the university's specific infrastructure. This systematic approach ensures that resources are allocated efficiently and that the security posture is managed based on verified data rather than assumptions.

========

Answer : D

Cisco TrustSec is a next-generation security architecture that provides software-defined segmentation to simplify the provisioning of network access control. In a hotel environment where guest privacy is paramount, TrustSec is the ideal solution to prevent 'peer-to-peer' or cross-communication between devices located within the same VLAN. Traditional methods for this isolation, such as Private VLANs (PVLANs) or complex, manually managed Access Control Lists (ACLs), can be extremely difficult to maintain at scale across a global infrastructure.

TrustSec replaces these IP-based or VLAN-based restrictions with Scalable Group Tags (SGTs). When a device connects to the network, Cisco Identity Services Engine (ISE) authenticates the endpoint and assigns it a specific SGT based on its role, identity, or security posture. The network infrastructure (switches) then enforces policy based on these tags. To meet the requirement of preventing communication between devices in the same VLAN without using dynamic ACLs (dACLs), ISE can be configured to assign the same SGT to guest devices and then apply a Security Group ACL (SGACL) that denies traffic where both the source and destination tags are identical. This 'intra-SGT' isolation effectively blocks devices from communicating with their neighbors on the same local segment. This approach aligns with the Cisco SAFE architecture by providing granular, identity-aware segmentation that is topology-independent, allowing the hotel chain to maintain a simplified network structure while ensuring robust client security.

========