According to the CIA triad principles for network security design, which principle should be priority for a Zero Trust network?
Answer(s): A
The CIA triad principles for network security design are confidentiality, integrity, and availability. In a Zero Trust network, the priority principle is confidentiality. This is because Zero Trust assumes that all users and devices are potentially malicious, and therefore, all traffic must be encrypted and authenticated before it is allowed to enter the network.The other options are also important for network security, but they are not as critical as confidentiality. Categorizing systems, data, and BYOD assets is important for ensuring that the right level of security is applied to each asset. Ensuring that authorized users have high-availability system access is important for ensuring that users can access the systems they need when they need them. And requiring data-at-rest encryption for user identification within the VPN termination hardware is important for protecting user credentials.However, all of these things can be done without compromising confidentiality. If confidentiality is not maintained, then all of the other security measures are pointless. Therefore, the priority principle for a Zero Trust network is confidentiality.
Which two points must network designers consider when designing a new network design or when evaluating an existing network design to help them understand the high-level design direction with regards to the security aspects? (Choose two.)
Answer(s): B,E
The correct answers are B. Consider organization's security policy standards and E. Consider Business objectives and goals.When designing a new network design or when evaluating an existing network design, it is important to consider the organization's security policy standards. This will help to ensure that the network is designed in a way that meets the organization's security requirements. It is also important to consider the business objectives and goals of the organization. This will help to ensure that the network is designed in a way that supports the organization's business needs.The other options are not as important as security policy standards and business objectives. Complex networks, new network technologies and components, and multi-site networks can all be factors that affect the security of a network, but they are not as critical as security policy standards and business objectives.
Company XYZ is designing the network for IPv6 security and they have these design requirements:•A switch or router must deny access to traffic from sources with addresses that are correct, but are topologically incorrect. •Devices must block Neighbor Discovery Protocol resolutions for destination addresses that are not found in the binding table.Which two IPv6 security features are recommended for this company? (Choose two.)
Answer(s): B,C
The IPv6 Destination Guard feature works with IPv6 neighbor discovery to ensure that the device performs address resolution only for those addresses that are known to be active on the link.The IPv6 Prefix Guard feature works within the IPv6 Source Guard feature, enabling the device to deny traffic originated from nontopologically correct addresses.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16/ip6f-xe-16-book/ip6-src-guard.htmlhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16/ip6f-xe-16-book/ipv6-dest-guard.html
Company XYZ wants to improve the security design of their network to include protection from reconnaissance and DoS attacks on their subinterfaces destined toward next hop routers. Which technology can be used to prevent these types of attacks?
Answer(s): C
Control Plane Policing (CoPP) is a Cisco technology that can be used to prevent reconnaissance and DoS attacks on subinterfaces destined toward next hop routers. CoPP works by monitoring the control plane traffic on a router and dropping packets that match certain criteria. This can help to prevent attackers from gaining information about the router's configuration or from flooding the router with traffic.The other options are not as suitable for preventing these types of attacks. Dynamic Packet Prioritization (DPP) is used to prioritize traffic based on its type. Cisco Packet Policing (CPPr) is used to limit the amount of traffic that a router can receive or transmit. Multiprotocol Label Switching (MPLS) is a technology that can be used to encapsulate traffic and forward it across a network.
https://www.cisco.com/c/dam/en/us/td/docs/switches/lan/catalyst6500/ios/15-4SY/cisco-copp-feature-guide.pdf
Post your Comments and Discuss Cisco® 400-007 exam with other Community members:
RLCCIRCUIT commented on July 15, 2024 I passed the exam with 848 on 12th July. This dump covers most of the questions, I only met 4 new ones. Thanks very much. I will get other exam dumps here. UNITED STATES upvote
Our website is free, but we have to fight against bots and content theft. We're sorry for the inconvenience caused by these security measures. You can access the rest of the 400-007 content, but please register or login to continue.