Technologies, Architecture & Design

Question 1

Network Address Translation (NAT)

Answer 1

an IPv4 technique used to link private IP addresses to public ones.

Question 2

Access control list (ACL)

Answer 2

Lists of users and their permitted actions. Can be identified by ID, network address, or token.

Question 3

Application-based vs. network-based Firewall

Answer 3

• App-based firewalls look at traffic and block/allow actions within applications (even web-connected ones).
• Network-based firewalls are, um, network-based and look at IP addresses and ports.

Question 4

Implicit deny

Answer 4

if it isn’t explicitly allowed, then deny it.

Question 5

Rule-based management

Answer 5

To define desired operational states so that they can be represented as rules.

Question 6

VPN concentrator

Answer 6

A VPN concentrator is a way of managing multiple VPN conversations on a network while keeping them isolated from each other.

Question 7

IPSec

Answer 7

IPSEC is a set protocols for securely exchanging packets at the network layer (layer 3)

Question 8

Tunnel Mode

Answer 8

Tunnel-mode means that the data, as well as source and destination addresses are encrypted.

Question 9

Transport Mode

Answer 9

Transport mode encrypts only the data, allowing an observer to see that a transmission is happening. The original IP header is exposed.

Question 10

Authentication Headers (AH)

Answer 10

Authentication Headers (AH) are a type of header extension that ensure data integrity and authenticity of the data’s origin.

Question 11

Encapsulating Security Payload (ESP)

Answer 11

Encapsulating Security Payload (ESP) header extensions provide confidentiality but do not help with data integrity.

Question 12

Split Tunnel vs. Full Tunnel

Answer 12

• Split-tunnel VPNs do not route all traffic through the VPN. This helps avoid bottlenecks that might come from encrypting all traffic. -
• All traffic going over VPN is called a full tunnel VPN.

Question 13

Transport Layer Security (TLS)

Answer 13

Transport Layer Security (TLS) can be used for VPNs, to exchange keys and create secure tunnels for communication.

Question 14

Always-on VPN

Answer 14

“Always on” VPNs are pre-configured and always on, by default.

Question 15

NIPS

Answer 15

Network-based intrusion prevention systems. NIPS can take automated action to block an attack, as determined by pre-set rules.

Question 16

NIDS

Answer 16

NIDS stands for a network-based intrusion detection system. These detect, log and respond to unauthorized network usage. This can be in real-time or after the fact.

Question 17

Signature Based (IDS)

Answer 17

An IDS can be signature-based, meaning it detects intrusion based on known signature definitions.

Question 18

Heuristic/Behavioral (IPS/IDS)

Answer 18

This means that “normal” behavior is defined, and behavior that is outside of those bounds is considered malicious or bad.

This can have a high false-positive rate

Question 19

Anomaly (IDS)

Answer 19

Anomaly-based is similar and looks for traffic that is anomalous based on known “normal” behavior.

Question 20

Inline vs. Passive (IDS)

Answer 20

IDS can be inline, meaning it monitors data as it flows through the device, or passive, meaning that it copies off the data and examines it offline.

Question 21

In-Band vs. Out-of-Band (IDS)

Answer 21

It can be in-band, meaning that it examines data and can take actions within that system (if something looks bad, don’t send it along). Out-of-band cannot.

Question 22

Security Information and Event Management (SIEM)

Answer 22

• SIEM stands for security information and event management.
• SIEM systems are hardware and software meant to analyze aggregated security data.

Question 23

Agreggation (SIEM)

Answer 23

Aggregation of data: event logs, firewall logs security, application logs.

Question 24

Correlation (SIEM)

Answer 24

Correlation, meaning that events or behaviors can be related based on time, common events, etc.

Question 25

Automated Alert and Triggers (SIEM)

Answer 25

Automated alerts and triggers: you can set rules to alert you based on certain patterns. Your SIEMS can have automated reactions, too.

Question 26

Time Synchronization (SIEM)

Answer 26

SIEMs can render events in UTC and local time(s).

Question 27

Event deduplication (SIEM)

Answer 27

SIEMs can remove redundant event info so that the signal-to-noise ratio is better.

Question 28

Data Loss Prevention (DLP)

Answer 28

DLP (Data Loss prevention) refers to methods of detecting and preventing unauthorized transfers of data across an organization

Question 29

USB Blocking (DLP)

Answer 29

USB blocking: either physically disabling the points, or a software-based solution.

Question 30

Cloud Based (DLP)

Answer 30

Cloud-based DLP gets harder, since you have to move _some _data to and from the cloud.

Question 31

E-Mail (DLP)

Answer 31

Organizations might disallow or scan email attachments.

Question 32

Network access control (NAC)

Answer 32

• To help large organizations to manage network connections.
• Network Access Protection (NAP) is the Microsoft option, Network Admission Control (NAC) is the Cisco option.

Question 33

Dissolvable vs. permanent (NAC)

Answer 33

NAP or NAC related agents can be permanent deployed to a host. They an also be dissolvable, meaning that they are used (and discarded) on an as-needed basis.

Question 34

Host Health Checks (NAC)

Answer 34

Run health checks on a host before letting it connect to the network.

Question 35

Mail Gateway

Answer 35

• Mail gateways are machines that process email packets on a network.

-They also filter spam, manage data loss and handle encryption.

Question 36

Spam Filter

Answer 36

Gateways can filter spam through blacklisting known spam sources.

Question 37

Bridge

Answer 37

• Bridges work at the layer 2 level and connect two separate network segments.
• This can play into security concerns because traffic separation can keep sensitive information more sequestered.

Question 37

SSL/TLS Accelerator

Answer 37

Encryption takes time and processing power. SSL/TLS accelerators are dedicated devices that help alleviate encryption bottlenecks within organizations.

Question 38

SSL Decryptor

Answer 38

SSL decryptors allow for traffic screening. They’re effectively a man-in-the-middle attack, and decrypt information, check it, and then re-encrypt and forward it.

Question 39

Media Gateway

Answer 39

Media gateways are machines meant to handle different media protocols, including translating from one protocol to another.

Question 40

Hardware Security Module

Answer 40

Hardware security modules (HSMs) are devices meant to manage or store encryption keys.