Free Cisco 350-701 Practice Questions 2026 | Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)

They quickly provision new devices

They view the overall health of the network

teardrop

A teardrop attack is a denial-of-service (DoS)
attack that involves sending fragmented packets to a targetmachine. Since the machine
receiving such packets cannot reassemble them due to a bug in TCP/IPfragmentation
reassembly, the packets overlap one another, crashing the target network device. This
generally happens on older operating systems such as Windows 3.1x, Windows 95,
Windows NT and versions of the Linux kernel prior to 2.1.63.

Explanation:
In an 802.1X deployment, it is crucial to distinguish between different types of authentication attempts to apply the correct policy. MAC Authentication Bypass (MAB) is used for devices that cannot use the 802.1X supplicant, like printers or IoT devices.

The key to filtering MAB requests lies in identifying the EAP-Type used during the authentication attempt.

Let's break down the RADIUS attributes:

Why Option C (6) is Correct:
RADIUS Attribute 6 is Service-Type. During a MAB authentication, the switch sends a RADIUS Access-Request to the server (like Cisco ISE) with the Service-Type attribute set to a value of 10, which stands for Call Check. This "Call Check" service type is the definitive indicator that the request is a MAB attempt. In Cisco ISE, you can create an authorization policy condition that checks for Service-Type Equals Call Check to identify and filter MAB requests separately from 802.1X requests.

Why Option A (1) is Incorrect:
RADIUS Attribute 1 is User-Name. In a MAB request, this attribute contains the MAC address of the device. While you can use this to identify the specific device, it is not the attribute that definitively identifies the type of authentication method as MAB.

Why Option B (2) is Incorrect:
RADIUS Attribute 2 is User-Password. This attribute is used to convey a password and is not a reliable filter for the authentication method itself.

Why Option D (31) is Incorrect:
RADIUS Attribute 31 is Calling-Station-ID. Similar to the User-Name attribute, this very commonly contains the MAC address of the connecting device in a MAB scenario. However, like User-Name, it identifies the device, not the method. An 802.1X request can also populate the Calling-Station-ID with a MAC address.

Reference:
This is a key concept in the Secure Network Access, Visibility, and Enforcement domain, specifically for deploying Cisco Identity Services Engine (ISE). Creating separate authentication policies for 802.1X and MAB based on the Service-Type attribute is a fundamental and recommended practice for a secure and functional network access control design.

Explanation:
The question describes a Denial-of-Service (DoS) attack, which aims to make a machine or network resource unavailable to its intended users.

A) smurf is CORRECT.
A Smurf attack is a specific, historical type of distributed denial-of-service (DDoS) attack. It works by sending a large number of Internet Control Message Protocol (ICMP) echo request (ping) packets to a network's broadcast address. The packets are spoofed to appear as if they came from the victim's IP address. Every machine on the network then replies to the victim, overwhelming it with traffic and causing a denial of service.

Why the other options are incorrect:

B) bluesnarfing is INCORRECT.
Bluesnarfing is an attack against Bluetooth-enabled devices. It involves unauthorized access to and theft of information (like contacts, emails, etc.) from a wireless device. Its goal is data theft, not shutting down a network.

C) MAC spoofing is INCORRECT.
MAC spoofing involves changing a device's Media Access Control (MAC) address to impersonate another device on the local network. This is typically used to bypass network access controls or for session hijacking, not to cause a denial of service.

D) IP spoofing is INCORRECT.
IP spoofing is the technique of creating IP packets with a forged source IP address. It is a method used in many other attacks (including the Smurf attack) to hide the attacker's identity or to exploit trust relationships. However, IP spoofing by itself does not constitute a denial-of-service attack; it is a component of one.

Reference:

CISSP/Cybersecurity Fundamentals: Denial-of-Service attacks are a core category, with the Smurf attack being a classic example of an ICMP-based amplification attack.

Cisco Security Certifications: The SCOR exam blueprint includes knowledge of common network attacks, including various DoS and DDoS techniques like the Smurf attack.

hypervisor OS hardening

Explanation:
In an IaaS model (like AWS EC2, Azure VMs, Google Compute Engine), the cloud provider is responsible for the security of the cloud, while the customer is responsible for security in the cloud.

Let's break down the responsibilities:

D) hypervisor OS hardening is CORRECT.
The hypervisor is the fundamental software that creates and runs virtual machines. The physical security of the data centers, the security of the underlying network infrastructure, and the hardening and security of the hypervisor itself are all the core responsibility of the cloud provider (e.g., AWS, Azure, Google). The customer has no access to or control over this layer.

Why the other options are incorrect (these are customer responsibilities in IaaS)

A) Internet proxy is INCORRECT.
Controlling and filtering outbound internet traffic from virtual machines is the customer's responsibility. This can be fulfilled by deploying a virtual firewall or proxy appliance within the customer's virtual network.

B) firewalling virtual machines is INCORRECT.
While the cloud provider offers network-level security groups or ACLs as a basic service, the configuration and management of these firewalls to create a secure architecture for the VMs is the customer's responsibility. More advanced, next-generation firewalling is always a customer responsibility, typically deployed as a virtual appliance.

C) CASB (Cloud Access Security Broker) is INCORRECT.
A CASB is a security policy enforcement point placed between cloud service consumers and providers. It is used to monitor activity and enforce security policies for cloud services (often SaaS). Deploying and managing a CASB is the responsibility of the customer, not the IaaS provider.

Summary of IaaS Responsibility:

Provider Responsibility:
Physical security, network infrastructure, hypervisor.

Customer Responsibility:
Operating system of the VMs, application security, data, identity and access management (IAM), and network security rules/firewalls within the virtual network.

Reference:

AWS Shared Responsibility Model: Clearly states that AWS is responsible for the "Security of the Cloud," including "Compute, Storage, Database, Networking" infrastructure and the "Virtualization layer."

Microsoft Azure Shared Responsibility Model: Similarly defines that Microsoft is responsible for the "Physical hosts, Network, and Datacenter," which includes securing the hypervisor and host OS.

model-driven telemetry

https://developer.cisco.com/docs/ios-xe/#!streaming-telemetry-quick-start-guide

RSA

Explanation:
IPsec uses two main types of cryptographic algorithms:

Encryption algorithms to provide confidentiality.

Integrity algorithms to provide data integrity and authentication.

Let's break down the correct answers:

C) HMAC-SHA1/SHA2 is CORRECT.
This is an integrity algorithm. HMAC (Hash-based Message Authentication Code) is the mechanism used within IPsec's Authentication Header (AH) and Encapsulating Security Payload (ESP) protocols to ensure that packets have not been tampered with in transit. SHA-1 and the more secure SHA-2 family (SHA-256, SHA-384) are the specific hash functions used within HMAC.

E) AES-CBC is CORRECT.
This is an encryption algorithm. AES (Advanced Encryption Standard) is the most common symmetric encryption cipher used in modern IPsec implementations. CBC (Cipher Block Chaining) is a specific mode of operation for AES. While other modes like AES-GCM are becoming more popular (as they provide both encryption and integrity in one step), AES-CBC is a widely supported and valid algorithm for IPsec.

Why the other options are incorrect:

A) AES-BAC is INCORRECT.
"BAC" is not a valid mode of operation for the AES algorithm.

B) AES-ABC is INCORRECT.
"ABC" is not a valid mode of operation for the AES algorithm.

D) Triple AMC-CBC is INCORRECT.
This appears to be a misspelling or distractor. The correct algorithm is 3DES-CBC (Triple Data Encryption Standard in Cipher Block Chaining mode). While 3DES was used in the past, it is now considered weak and deprecated in favor of AES.

Reference:

IETF RFCs for IPsec: Foundational RFCs like RFC 4303 (ESP) and RFC 4305 (Cryptographic Algorithm Implementation Requirements) specify the use of AES and HMAC-SHA for encryption and integrity, respectively.

Cisco IPsec VPN Configuration Guides: The configuration commands for creating IPsec transform sets explicitly list these algorithms (e.g., esp-aes, esp-sha-hmac).

The attack is fragmented into groups of 8 octets before transmission.

Malformed packets are used to crash systems.

ExplanationPing of Death (PoD) is a type of Denial of Service (DoS) attack in
which an attacker attempts to crash,destabilize, or freeze the targeted computer or service
by sending malformed or oversized packets using a simple ping command.A correctlyformed
ping packet is typically 56 bytes in size, or 64 bytes when the ICMP header is
considered,and 84 including Internet Protocol version 4 header. However, any IPv4 packet
(including pings) may be as large as 65,535 bytes. Some computer systems were never
designed to properly handle a ping packet larger than the maximum packet size because it
violates the Internet Protocol documentedLike other large but well-formed packets, a ping
of death is fragmented into groups of 8 octets beforetransmission. However, when the
target computer reassembles the malformed packet, a buffer overflow can occur, causing a
system crash and potentially allowing the injection of malicious code.

Explanation:
This question involves the integration of network access control across different network segments, specifically allowing a central policy server to communicate with network access devices (switches) that may be behind a firewall.

Let's break down the key terms and each option:

CoA (Change of Authorization):
This is a RADIUS packet type defined in RFC 5176. It allows a RADIUS server (like Cisco ISE) to dynamically send a command to a network device (like a switch, router, or wireless controller) to change the authorization status of a user session after the initial authentication. Examples include re-authenticating a user, disconnecting a user, or bouncing a port.

Why Option B (UDP 1700) is Correct:
The standard destination port for a CoA packet is UDP 1700. For CoA to work, the firewall must permit traffic from the RADIUS server to the network access device on this port. There is also a related port, UDP 1700, used for Disconnect Messages (DM), which are similar but used to immediately terminate a session.

Why the Other Options are Incorrect:

Why Option A (TCP 6514) is Incorrect:
TCP 6514 is the default port for the RADIUS over TLS (RadSec) protocol. This is used for secure, TCP-based communication of RADIUS packets between servers and clients, but it is not the standard port for CoA.

Why Option C (TCP 49) is Incorrect:
TCP 49 is the port for the TACACS+ protocol. TACACS+ is primarily used for administrative access to network devices (AAA for device management), not for 802.1X user authentication or CoA commands, which are part of the RADIUS protocol family.

Why Option D (UDP 1812) is Incorrect:
UDP 1812 is the standard port for the initial RADIUS Authentication packets. This is the port used when the switch (the NAS) first contacts the RADIUS server to authenticate a user. CoA is a separate, subsequent communication initiated by the server back to the switch, and it uses its own dedicated port (UDP 1700).

Reference:
This falls under the Secure Network Access, Visibility, and Enforcement domain. A critical part of deploying a solution like Cisco ISE is ensuring proper network connectivity for all its functions. Understanding that CoA uses UDP port 1700 is essential for firewall rules to enable dynamic policy enforcement, such as quarantining a device or requiring re-authentication.