Cisco Designing Cisco Security Infrastructure 300-745 SDSI Exam Questions

Answer : A

When moving security closer to the data, the endpoint becomes the final perimeter. A host-based firewall is a software component that runs directly on the endpoint's operating system (Windows, macOS, or Linux). While the company already has Next-Generation Firewalls (NGFWs) at the network edge, those devices cannot protect endpoints from threats originating within the same local network segment (East-West traffic) or when the device is used outside the corporate office.

Implementing a host-based firewall provides a critical layer of defense-in-depth. It allows security administrators to enforce strict inbound and outbound traffic rules based on applications and services specific to that device. For example, it can prevent a compromised laptop from scanning other devices on a public Wi-Fi network. In the Cisco ecosystem, this is often achieved through the Cisco Secure Client (AnyConnect) using the Network Visibility Module (NVM) or integrated endpoint security suites.

While a Distributed Firewall (Option C) is used for micro-segmentation within data centers/clouds and a Web Application Firewall (WAF) (Option B) protects servers from web-based attacks, only a host-based firewall meets the requirement for traffic filtering directly on the diverse array of endpoint devices. This approach ensures that even if the network edge is bypassed, the individual host remains hardened against lateral movement and unauthorized communication.

Answer : D

In the context of Designing Cisco Security Infrastructure, protecting Remote Access VPN (RAVPN) against brute-force and password spray attacks is a critical objective. On Cisco Firepower Threat Defense (FTD) and Adaptive Security Appliance (ASA) platforms, the DefaultWEBVPNGroup and DefaultRAGroup are the landing points for any connection request that does not specify a valid Group Alias or Group URL. Attackers frequently target these default profiles because they are often left with 'None' as the authentication method, allowing the attacker to probe for valid usernames without immediate rejection.

By selecting Option D, the security designer ensures that any attempt to access the VPN via these default profiles requires valid AAA credentials. According to Cisco's hardened design guides, it is best practice to point these default profiles to a 'sinkhole' AAA server or a local database with no users. This forces the password spray attack to fail at the initial authentication phase before any sensitive information is leaked or unauthorized access is granted. While Option A (ACLs) provides a temporary fix, it is ineffective against distributed attacks using rotating IP addresses. Option B (Disabling aliases) is a good obfuscation technique but doesn't stop an attacker from hitting the default profile. Option D provides a structural mitigation that aligns with the Cisco SAFE architectural principle of reducing the attack surface by securing every possible entry vector into the private infrastructure.

Answer : D

Based on the provided exhibits, the correct firewall feature for blocking malware in this context is File Inspection.

In image_4c047c.png, we see a Cisco Secure Firewall Access Control Policy rule named 'Default Inspect'. This rule is configured to allow traffic from the 'inside' zone to the 'outside' zone while applying deep packet inspection. Crucially, the configuration includes a File Policy field, which is the mechanism used to perform malware analysis and file disposition lookups. By associating a File Policy with an Access Control rule, the firewall can inspect files as they transit the network, calculate their SHA-256 hash, and query the Cisco Collective Security Intelligence cloud to determine if the file is malicious, clean, or unknown.

The evidence of this feature in action is found in image_4b1ebe.png, which shows the Cisco Secure Endpoint (formerly AMP for Endpoints) Device Trajectory. The 'Activity Details' pane specifically identifies a malicious file (iodnxvg.exe) categorized as W32.DFC.MalParent. While the log notes the file was not quarantined because it was in 'audit only mode,' the underlying technology performing the detection is File Inspection. This feature provides the necessary visibility into the contents of encrypted or unencrypted data streams to identify and---when properly configured in a 'Protect' or 'Block' mode---stop the execution of malware. This aligns with the Cisco SDSI objective of building a layered defense that combines perimeter traffic control with granular file-level security.

Answer : B

As organizations shift toward a 'borderless' or hybrid work model, the traditional perimeter-based security model becomes insufficient. When employees work from home, coffee shops, or airports, they are no longer behind the enterprise's physical Next-Generation Firewall (NGFW) (Option A). To ensure that security policies are enforced 'regardless of location,' the security must move with the device.

A host-based firewall is a software-defined firewall that resides directly on the endpoint (laptop, workstation, or server). In the Cisco ecosystem, this is often a component of Cisco Secure Client or Cisco Secure Endpoint. Because the firewall is local to the operating system, it can enforce strict inbound and outbound traffic rules even when the user is not connected to a VPN. This protects the device from lateral movement threats on untrusted local networks (like a public Wi-Fi) and ensures that only authorized applications can communicate over the network.

While an NGFW (Option A) provides superior deep packet inspection for the corporate perimeter, and a Web Application Firewall (WAF) (Option C) protects web servers from application-layer attacks, neither provides the local, location-independent protection required for a distributed remote workforce. Implementing a host-based firewall aligns with the Zero Trust architecture promoted by Cisco, where the endpoint itself becomes a micro-perimeter capable of self-protection.

Answer : B

In the realm of Artificial Intelligence and DevSecOps, watermarking is a critical security technique used to identify the origin of synthetic media. As generative AI models become increasingly sophisticated, they can create highly realistic images, videos, and audio clips---often referred to as deep fakes. These deep fakes pose a significant risk to organizational security and public trust, as they can be used for sophisticated social engineering attacks, such as impersonating executives in 'Business Email Compromise' (BEC) scenarios or spreading misinformation.

By embedding a cryptographic or perceptible watermark into AI-generated content, security systems and users can verify the authenticity and provenance of the media. This proactive measure helps prevent the successful deployment of deep fakes by making it easier for automated security tools to flag synthetic content that lacks a valid 'signature' of origin. While watermarking does not inherently stop the creation of harmful content (Option C) or reduce resource consumption (Option A), it provides a layer of accountability and verification. Similarly, scale changes (Option D) are technical image manipulations that watermarking does not prevent. Within the Cisco SDSI framework, watermarking is viewed as an essential component of the AI security lifecycle, ensuring that generative technologies are used responsibly and that synthetic content is distinguishable from genuine data.

========

Answer : C

A flow collector (such as Cisco Secure Network Analytics, formerly Stealthwatch) is a critical tool within a Security Operations Center (SOC) for providing 'pervasive visibility' into the network. Instead of capturing every full packet---which is resource-intensive---a flow collector ingests NetFlow or IPFIX data, which contains metadata like source/destination IPs, ports, and the volume of data transferred.

The SOC leverages this data for threat detection and response by establishing a baseline of normal network behavior. When a flow collector identifies an anomaly---such as an endpoint suddenly sending gigabytes of data to an unusual external IP (data exfiltration) or scanning internal ports (lateral movement)---it flags the incident for analysis. Unlike Real-time content filtering (Option D), which happens at the gateway (e.g., Cisco Umbrella or WSA), flow collectors provide a historical record and behavioral analysis of all internal and external traffic. They do not perform load balancing (Option B) or backup/recovery (Option A). In the Cisco SDSI framework, flow analysis is essential for identifying the 'unknown unknowns' and providing the forensic evidence needed to understand the scope and path of a security breach.

Answer : D

In the architectural design of a modern Security Operations Center (SOC), visibility is paramount. Splunk is a leading Security Information and Event Management (SIEM) and log management platform used to aggregate data from disparate sources across the enterprise. According to the Cisco SDSI v1.0 objectives, specifically within the 'Risk, Events, and Requirements' domain, a central repository for telemetry is essential for incident response and threat hunting.

Splunk collects logs, metrics, and other data from network devices (firewalls, switches, routers), endpoints (laptops, servers), and cloud applications. It then indexes this data, allowing security analysts to perform complex searches, create visualizations, and build dashboards that provide a real-time view of the organization's security posture.

While Cisco offers native tools like Cisco Secure Cloud Analytics or Cloud Observability (Option B) for specific cloud and application performance monitoring, Splunk serves as the broader 'single pane of glass' for the entire infrastructure. Cisco Email Security Appliance (Option A) and Cisco Web Security Appliance (Option C) are specialized security engines that generate logs but do not function as the overarching collection and analysis platform for the entire enterprise. By integrating Cisco security products with Splunk, organizations can correlate events---such as a blocked web request from a WSA and a malware alert from a Secure Endpoint---to identify a coordinated attack, fulfilling the Cisco SAFE requirement for pervasive visibility.

========