Free Cisco 350-701 Practice Questions 2026 | Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)

POST and name

Explanation for Each Option:

A. It exports only records that indicate significant events in a flow (Correct):
NetFlow Secure Event Logging (NSEL) is designed to optimize logging efficiency by exporting only records that mark significant events within a flow, such as session start, end, or security-related incidents (e.g., denied packets due to access control lists). This selective approach minimizes data volume while focusing on critical security and operational insights, a core feature of NSEL. (Reference: Cisco NetFlow Configuration Guide, NSEL Overview.)

B. It filters NSEL events based on the traffic and event type through RSVP (Incorrect):
NSEL does not utilize Resource Reservation Protocol (RSVP) for filtering events. RSVP is a protocol for reserving network resources, not for event logging or filtering in NSEL, which relies on NetFlow’s flow monitoring and event-based triggers. This option incorrectly associates NSEL with an unrelated protocol, making it invalid. (Reference: Cisco IOS NetFlow NSEL Documentation.)

C. It delivers data records to NSEL collectors through NetFlow over TCP only (Incorrect):
NSEL primarily uses UDP for delivering data to collectors due to its efficiency and lower overhead, though TCP can be an option for reliability in specific configurations. The claim of "only TCP" is inaccurate, as NSEL supports UDP as the default transport, rendering this option incorrect. (Reference: Cisco NSEL Deployment Guide, Transport Protocols.)

D. It supports v5 and v8 templates (Incorrect):
NSEL operates on NetFlow version 9 (v9), which offers flexible, template-based data export, unlike the fixed-format v5 and v8 versions. NSEL is tailored for enhanced event logging and does not support v5 or v8 templates, making this option factually incorrect for NSEL’s capabilities. (Reference: Cisco NetFlow Version Comparison, NSEL Features.)

Additional Notes:
NSEL, a topic in the 350-701 SCOR exam under network monitoring, enhances security event logging, particularly on Cisco ASA devices. As of 08:55 AM PKT, October 02, 2025, it remains a key tool for flow-based security analysis. For further details, consult the Cisco NetFlow Configuration Guide (cisco.com) and the 350-701 Exam Blueprint (Section 1.0 Security Concepts). More questions?

scalability

Explanation for Each Option:

A. Cisco Stealthwatch (Incorrect):
Cisco Stealthwatch is a network visibility and security analytics solution that monitors traffic and detects threats within a network using behavioral analysis. It requires a connected network environment (e.g., via VPN) to analyze traffic and cannot protect remote users against phishing attacks when they are offline or not connected, making this option unsuitable. (Reference: Cisco Stealthwatch Datasheet.)

B. Cisco Umbrella (Correct):
Cisco Umbrella is a cloud-delivered security service that provides DNS-layer protection, blocking malicious domains and phishing sites regardless of the user’s connection status, including when not connected to a VPN. Its always-on protection ensures remote users are safeguarded against phishing attacks by filtering DNS requests, meeting the requirement effectively. (Reference: Cisco Umbrella Datasheet, Roaming Protection.)

C. Cisco Firepower (Incorrect):
Cisco Firepower, including its Next-Generation Firewall (NGFW) and Threat Defense (FTD) capabilities, provides advanced threat protection for network traffic. However, it requires a network connection (e.g., via VPN) to inspect and block threats, and it cannot protect remote users against phishing when they are not connected, rendering this option incorrect. (Reference: Cisco Firepower Overview.)

D. NGIPS (Incorrect):
Next-Generation Intrusion Prevention System (NGIPS), often integrated with Cisco Firepower, detects and blocks intrusions based on traffic analysis. Like Firepower, it operates within a connected network environment and cannot protect remote users against phishing attacks when they are not connected to a VPN, making this option inapplicable. (Reference: Cisco NGIPS Datasheet.)

Additional Notes:
Protecting remote users with Cisco Umbrella is a key topic in the 350-701 SCOR exam under content security. As of 10:23 AM PKT, October 02, 2025, its DNS-based approach is ideal for off-VPN scenarios. For details, refer to the Cisco Umbrella documentation (umbrella.cisco.com) and the 350-701 Exam Blueprint (Section 3.0 Security Concepts).

Explanation for Each Option:

A. crypto ca identity 172.19.20.24 (Incorrect):
The crypto ca identity command is used to specify a certificate authority (CA) identity for certificate-based authentication in IPsec VPNs, not to restrict the ISAKMP key to a specific IP address. It does not configure pre-shared keys or limit traffic termination, making this option irrelevant to the requirement. (Reference: Cisco IOS IPsec CA Configuration Guide.)

B. crypto isakmp key Cisco0123456789 172.19.20.24 (Correct):
The crypto isakmp key command configures a pre-shared key (Cisco0123456789) for Internet Key Exchange (IKE/ISAKMP) Phase 1 authentication. Specifying the IP address 172.19.20.24 ensures that the key is used only for terminating traffic from that specific peer, meeting the organization’s need to restrict the hub’s ISAKMP key usage. (Reference: Cisco IOS ISAKMP Configuration Guide.)

C. crypto enrollment peer address 172.19.20.24 (Incorrect):
The crypto enrollment peer address command is used during certificate enrollment to specify the peer’s IP address for manual enrollment with a CA, not to configure or restrict ISAKMP keys. It is unrelated to the site-to-site VPN key termination requirement, rendering this option incorrect. (Reference: Cisco IOS PKI Enrollment Guide.)

D. crypto isakmp identity address 172.19.20.24 (Incorrect):
The crypto isakmp identity address command sets the identity type for ISAKMP negotiation to use the IP address, but it does not configure a pre-shared key or restrict the key’s use to a specific peer IP. It defines how the router identifies itself, not the peer restriction needed, making this option unsuitable. (Reference: Cisco IOS ISAKMP Identity Configuration.)

Additional Notes:
Configuring ISAKMP keys for site-to-site VPNs is a key topic in the 350-701 SCOR exam under VPN technologies. As of 11:43 AM PKT, October 02, 2025, this command ensures secure peer-specific authentication. For details, refer to the Cisco IOS Security Configuration Guide (cisco.com) and the 350-701 Exam Blueprint (Section 3.0 Security Concepts).

Explanation:
Multiple context mode is a virtualization feature on the Cisco ASA that allows a single physical appliance to be partitioned into multiple, independent virtual firewalls, each called a "security context."

C) multiple context mode is CORRECT.
This is the definitive feature for providing separation of management on a shared appliance. In this mode:

Each context has its own separate configuration, security policies, interfaces (logical), and administrators.

An administrator for one context cannot see or manage any other context.

This is ideal for service providers or large enterprises that need to provide fully isolated firewall services to different departments or customers using a single hardware platform.

Why the other options are incorrect:

A) DMZ multiple zone mode is INCORRECT.
This is not a standard ASA deployment mode. A DMZ is a network segment created by firewall policy (e.g., by applying different security levels to interfaces), but it does not provide separate management planes on a shared appliance.

B) transparent firewall mode is INCORRECT.
Transparent mode changes the ASA from a Layer 3 router to a Layer 2 bridge. It is a different operational mode, but it does not create multiple, separately managed virtual firewalls. A transparent firewall is still a single management domain.

D) routed mode is INCORRECT.
Routed mode is the default firewall mode where the ASA acts as a Layer 3 hop. Like transparent mode, it is a single management domain and does not provide the separation of management that multiple contexts offer.

Reference:
Cisco ASA Series Configuration Guide, "Multiple Context Mode": The official documentation states that multiple context mode "lets you partition a single ASA into multiple virtual devices," each with its own configuration and management.

NTLMSSP

Kerberos

application security gateway

Configure DHCP snooping and set a trusted interface for the DHCP server

Explanation
At its core, a SQL injection vulnerability is not a flaw in the database itself, the operating system, or any static content like images. It is fundamentally a flaw in the application code—specifically, how that code handles data that comes from a user.

Here is the precise mechanism:

The Trusting Application:
A web application is built to take input from a user (e.g., a username, a search term, an ID number) through a form field or a URL parameter.

The Dynamic Query:
The application takes this user input and, using code, constructs a SQL database query to look up or modify data. For example, a login page might create a query like this:

SELECT * FROM users WHERE username = '[user_input]' AND password = '[user_input]';

The Flaw:
Lack of Validation/Sanitization: The vulnerability exists when the application blindly trusts the user input and concatenates it directly into the SQL query string without checking, cleaning, or separating it from the command itself.


The Exploit:
The Malicious Input: An attacker provides cleverly crafted input that changes the meaning of the SQL command. Instead of entering a simple username, they might enter: ' OR '1'='1

This would result in the final query becoming:

SELECT * FROM users WHERE username = '' OR '1'='1' AND password = 'anything';

Because '1'='1' is always true, this query could bypass authentication and return all users from the database.

The flaw the attacker is leveraging is the failure of the web page or web application to properly validate, sanitize, or parameterize the user input before using it to talk to the database.

Detailed Breakdown of Incorrect Options:

B. Linux and Windows operating systems:

Why it is incorrect:
SQL injection is an application-layer attack. The operating system (OS) on which the web server or database server is running is largely irrelevant. While a successful SQL injection could potentially be used as a stepping stone to attack the underlying OS (a technique known as privilege escalation), the initial vulnerability and the flaw being exploited reside in the application's code, not in the OS kernel or its configuration.

C. database:

Why it is incorrect:
This is a common misconception. Major databases like Oracle, SQL Server, MySQL, and PostgreSQL are not inherently "flawed" in a way that allows SQL injection. They are designed to execute whatever SQL commands they are sent. The problem is that the application is sending a maliciously formed command. The database is simply doing its job by executing it. Properly written application code that uses techniques like prepared statements (which separate the SQL command logic from the data) can use the exact same database without any risk of SQL injection.

D. web page images:

Why it is incorrect:
Static content like images, CSS, or JavaScript files (while they can be vectors for other attacks like XSS if improperly handled) are not involved in the SQL injection process. The exploit occurs when user-controlled input from form fields, URL parameters, or HTTP headers is incorporated into a dynamic SQL query. Images have no bearing on this data flow.

Reference and Key Takeaway:

OWASP (Open Web Application Security Project):
SQL injection has consistently been a top-tier vulnerability in the OWASP Top 10 list of critical web application security risks. OWASP explicitly defines the root cause as "user-supplied input [that] is not validated, filtered, or sanitized by the application."

CWE (Common Weakness Enumeration):
This vulnerability is officially cataloged as CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection').

In summary:
The attacker's leverage point is the trust the application places in unvalidated user input. The defense, therefore, must be implemented in the application's code through rigorous input validation, sanitization, and the use of parameterized queries or prepared statements.