The requirement is to prevent communication between devices within the same VLAN without using dynamic access control lists (dACLs). Cisco TrustSec is the technology designed for this purpose. It provides micro-segmentation by assigning Security Group Tags (SGTs) to endpoints based on their identity or role, as determined by Cisco ISE. Network devices, such as switches, then enforce communication policies using a Security Group ACL (SGACL) matrix. This allows for granular, identity-based policy enforcement that is independent of network topology (like VLANs or IP subnets), effectively isolating hosts even if they reside on the same logical network segment.

A. Implement device posturing: Posturing assesses an endpoint's security compliance (e.g., antivirus status) to determine its level of network access, but it does not enforce traffic policies between devices.

B. Set up endpoint profiling: Profiling identifies and classifies endpoints to inform policy decisions (like assigning a VLAN or SGT), but it is not the mechanism that enforces the communication rules.

C. Enable identity groups: Identity groups are logical containers within ISE used to group users or endpoints for easier policy management; they do not directly implement traffic segmentation on the network.

1. Cisco Identity Services Engine Administrator Guide, Release 3.1, "TrustSec" Chapter, "Cisco TrustSec Solution" section: "Cisco TrustSec technology provides network segmentation by using security groups. This segmentation simplifies network management by defining security policies that are independent of the network topology. In a Cisco TrustSec-enabled network, you can provision network access control based on the user and device identity and roles, and not IP addresses." This highlights that TrustSec operates independently of VLANs and IP-based ACLs.

2. Cisco SD-Access Solution Design Guide (CVD), Chapter 2: "Solution Components and Architecture", Section: "Group-Based Policy": "Micro-segmentation... provides for the ability to create granular policies that can limit the lateral movement of a threat... This is accomplished by using Cisco TrustSec technology with security group tags (SGTs) that represent a logical grouping of users and things. The policy between SGTs is represented in a matrix form, which is centrally managed from Cisco ISE and pushed to the network devices for enforcement." This confirms TrustSec's role in granular, intra-segment policy enforcement.

3. TrustSec Segmentation and Policy Enforcement Design Guide, "Introduction to TrustSec" section: "TrustSec provides topological-independent, role-based segmentation... This is a significant improvement over traditional segmentation methods that rely on VLANs, ACLs, and firewall rules... Policy enforcement is performed on the destination network device by comparing the SGT of the source with the DGT (Destination Group Tag) of the destination in the SGACL matrix." This explicitly contrasts TrustSec with traditional ACLs and confirms its mechanism for intra-VLAN segmentation.

A Web Application Firewall (WAF) is the correct solution as it is specifically designed to operate at the application layer (Layer 7) of the OSI model. It inspects the content of HTTP/HTTPS traffic, including request headers, to identify and block malicious activity targeting web applications. By analyzing the structure and content of headers, a WAF can enforce policies against malformed or invalid requests, effectively mitigating the type of attack described and protecting the web servers from exploitation.

A. antivirus software: This software is designed to detect and remove file-based malware on a host system; it does not inspect live network traffic for malformed HTTP headers.

B. traditional firewall: A traditional firewall operates at the network and transport layers (Layers 3 and 4), filtering traffic based on IP addresses and ports, but lacks the capability to inspect application-layer data like HTTP headers.

D. host-based firewall: This firewall runs on an individual server and typically controls network access at Layers 3 and 4 for specific applications, but it does not perform deep packet inspection of HTTP content.

---

1. Cisco. (n.d.). What Is a WAF (Web Application Firewall)? Cisco. Retrieved from https://www.cisco.com/c/en/us/products/security/what-is-a-waf-web-application-firewall.html

Reference Point: In the "How does a WAF work?" section, it states, "A WAF sits in front of a web application... and analyzes all HTTP (web) traffic... It works by applying a set of rules, often called policies, to the traffic. These policies can help filter out malicious traffic." This confirms its role in inspecting HTTP traffic to block threats.

2. OWASP Foundation. (n.d.). Web Application Firewall. OWASP. Retrieved from https://owasp.org/www-community/WebApplicationFirewall

Reference Point: The document defines a WAF as a security solution that "monitors, filters or blocks HTTP/S traffic to and from a web service." It further explains that WAFs are "able to detect and prevent many of the most common attacks... by inspecting HTTP traffic." This directly supports the use of a WAF for the described scenario.

3. Cisco. (n.d.). What Is a Firewall? Cisco. Retrieved from https://www.cisco.com/c/en/us/products/security/firewalls/what-is-a-firewall.html

Reference Point: The section "Types of firewalls" describes packet-filtering firewalls (traditional firewalls) as operating "at the network layer... They don’t check the payload of the packet." This clarifies why a traditional firewall is an incorrect choice for inspecting HTTP header content.

MITRE CAPEC (Common Attack Pattern Enumeration and Classification) is a publicly accessible and community-driven catalog of common attack patterns. Its primary purpose is to provide a standardized language and structure for describing how adversaries exploit weaknesses in applications and other cyber-enabled capabilities. Security engineers use CAPEC during threat modeling to systematically identify and evaluate potential attack vectors that could be used against the system being designed, ensuring a more comprehensive security analysis.

A. Cisco SAFE: This is a security reference architecture that provides design guidance and best practices for building secure networks, not a catalog of specific attack patterns for threat modeling.

B. GDPR: The General Data Protection Regulation is a legal framework for data protection and privacy in the European Union. It is a compliance requirement, not a technical attack framework.

D. SOC2: Service Organization Control 2 is an auditing framework that reports on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy.

---

1. MITRE Corporation. (n.d.). About CAPEC. CAPEC™. Retrieved from https://capec.mitre.org/about/index.html.

Reference Specifics: The "About CAPEC" page states, "CAPEC is a comprehensive dictionary and classification taxonomy of known attacks that can be used by analysts, developers, testers, and educators to advance community understanding and enhance defenses." This directly aligns with the question's need for a framework of attack patterns.

2. Cisco. (2022). Cisco DevSecOps Validated Design Guide. Cisco.

Reference Specifics: Chapter 3, "Threat Modeling," discusses the importance of identifying threats during the design phase. It states, "Threat modeling is a process by which potential threats...can be identified, enumerated, and prioritized." While this guide focuses on methodologies like STRIDE, it establishes the practice of using structured frameworks, for which CAPEC is a prime example for attack patterns.

3. Barnum, S., & Gegick, M. (2005). Common Attack Pattern Enumeration and Classification (CAPEC). MITRE Corporation.

Reference Specifics: Section 1, "Introduction," describes the motivation for CAPEC: "The goal of CAPEC is to provide a publicly available catalog of attack patterns along with a comprehensive schema and classification taxonomy." This document is one of the foundational papers explaining the purpose and structure of the framework.

In the architecture of modern security, Artificial Intelligence (AI) and Machine Learning (ML) are

leveraged to move beyond reactive, signature-based defenses. One of the most significant uses of AI

in securing network infrastructure is the detection of zero-day attacks (often referred to in exam

contexts as "day zero" attacks). A zero-day attack exploits a vulnerability that is unknown to the

software vendor or the public, meaning no signature exists for traditional firewalls or antivirus

software to block it.

AI identifies these threats through behavioral analysis and anomaly detection. By establishing a

highly granular baseline of "normal" network traffic patterns—including flow direction, packet size,

inter-packet arrival times, and protocol behavior—AI models can detect subtle deviations that

indicate a malicious exploit. For example, Cisco Secure Network Analytics (formerly Stealthwatch)

and Encrypted Threat Analytics (ETA) use ML to identify the cryptographic "fingerprints" of malware

even within encrypted traffic, without the need for decryption. This allows the security infrastructure

to identify and mitigate threats at the moment they appear, rather than waiting for a vendor to

release a signature. While load balancing (Option B), traffic shaping (Option C), and Quality of Service

(Option D) are critical for network performance and availability, they are traditional traffic

engineering functions that do not inherently provide the advanced threat detection capabilities

offered by AI-driven security models. Within the Cisco SDSI objectives, AI is positioned as the

primary technology for achieving proactive visibility and reducing the "Mean Time to Detect" (MTTD)

for previously unseen vulnerabilities.

In the context of the Designing Cisco Security Infrastructure (300-745 SDSI) blueprint, Dynamic

Multipoint VPN (DMVPN) is the specialized architectural solution designed for scalable hub-and-

spoke topologies that require the flexibility to evolve into partial or full mesh overlays. DMVPN

leverages a combination of Multipoint GRE (mGRE) tunnels, Next Hop Resolution Protocol (NHRP),

and IPsec encryption to create a dynamic environment.

The primary advantage of DMVPN is its ability to establish "on-demand" tunnels between spoke

sites. In a traditional hub-and-spoke model, traffic between two spokes must transit the hub, which

introduces latency and increases hub resource consumption. With DMVPN, spokes can use NHRP to

discover the public IP addresses of other spokes and build direct tunnels between them

automatically. This allows the pharmaceutical company to maintain a simple hub-and-spoke

management model while benefiting from the performance of a full mesh when traffic patterns

demand it.

While SSL VPNs (Option D) and L2TP (Option B) are excellent for individual remote access, they are

not designed for site-to-site mesh scalability. Crypto maps (Option C) represent the legacy method of

building IPsec tunnels, which requires static, manual configuration of every peer relationship—

making a full mesh practically impossible to manage at scale. DMVPN fulfills the Cisco SDSI objective

of designing highly available and flexible secure infrastructure by automating the complexity of large-

scale tunnel management.