3.3

Question 1

What are the functions of Load Balancers

Answer 1

-Configurable load
–Manage across servers

-TCP offload
–Protocol overhead

-SSL offload
–Encryption/Decryption

-Caching
–Fast response

-Prioritization
–QoS

-Content Switching
–Application-centric balancing

Question 2

What are the functions of Load Balancers?

Answer 2

-Configurable load
–Manage across servers

-TCP offload
–Protocol overhead

-SSL offload
–Encryption/Decryption

-Caching
–Fast response

-Prioritization
–QoS

-Content Switching
–Application-centric balancing

Question 3

What is the scheduling for Load balancers?

Answer 3

-Round-robin
–Each server is selected in turn

-Weighted round-robin
–Prioritize the server use

-Dynamic round-robin
–Monitor the server load and distribute to the server with the lowest use

-Active/active load balancing

Question 4

What is affinity (load balancer)?

Answer 4

-Affinity
–A kinship, a likeness

-Many applications require communication to the same instance
–Each user is “stuck” to the same server
–Tracked through IP address or session IDs
–Source affinity / sticky session / session persitence

Question 5

What is physical segmentation?

Answer 5

-Devices are physically separate
–Air gap between switch A and Switch B

-Must be connected to provide communication
–Direct connect, or another switch or router

-Web servers in one rack
–Database servers on another

-Customer A on one switch, customer B on another
–No opportunity for mixing data

Question 6

What are logical segmentations with VLANs?

Answer 6

-Virtual Local Area Networks (VLANs)
–Separated logically instead of physically
–Cannot communicate between VLANs without a Layer 3 device / router

Question 7

What is the Screened Subnet?

Answer 7

-Previously known as the demilitarized zone (DMZ)
–An additional layer of security between the internet and you
–Public access to public resources

Question 8

What is the Extrnet?

Answer 8

-A private network for partners
–Vendors, suppliers

-Usually requires additional authentication
–Only allow access to authorized users

Question 9

What is the Extrnet?

Answer 9

-A private network for partners
–Vendors, suppliers

-Usually requires additional authentication
–Only allow access to authorized users

Question 10

What is the Intranet?

Answer 10

-Private netowrk
–Only available internally

-Company announcements, important documents, other company business
–Employees only

-No external access
–Internal or VPN access only

Question 11

What is East-West and North-South traffic?

Answer 11

-Traffic flows within a data center
–Important to know where traffic starts and ends

-East-West
–Traffic between devices in the same data center
–Relatively fast response times

-North-south traffic
–Ingress/egress to an outside device
–A different security posture than east-west traffic

Question 12

What is Zero Trust?

Answer 12

-Many networks are relatively open on the inside
–Once you’re through the firewall, there are few security controls

-Zero trust is a holistic approach to network security
–Covers every device, every process, every person

-Everything must be verified
–Nothing is trusted
–Multifactor authentication, encryption, system permissions, additional firewalls, monitoring and analytics, etc.

Question 13

What are VPNs?

Answer 13

-Virtual Private Networks
–Encrypted (private) data traversing a public network

-Concentrator
–Encryption/decryption access device
–Often integrated into a firewall

-Many deployment options
–Specialized cryptographic hardware
–Software-based options available

-Used with client software
–Sometimes built into the OS

Question 14

What is a SSL VPN

Answer 14

-Secure Socket Layer Virtual Private Network

-Uses common SSL/TLS protocol (tcp/443)
–Almost No firewall issues!

-No big VPN clients
–Usually remote access communication

-Authenticate users
–No requirement for digital certificates or shared passwords (like IPsec)

Question 15

What is a HTML5 VPN?

Answer 15

-Hypertext Markup Language version 5
–The language commonly used in web browsers

-Includes comprehensive API support
–Application Programming Interface
–We cryptography API

-Create a VPN tunnel without a separate VPN application
– Nothing to install

-Use an HTML5 compliant browser
–Communicate directly to the VPN concentrator

Question 16

What is Site-to-SiteVPN?

Answer 16

-Always-on
-or almost always

-Firewalls often act as VPN concentrators
–Probably already have firewalls in place

Question 17

What is L2TP?

Answer 17

-Layer 2 Tunneling Protocol
–Connecting sites over a layer 3 network as if they were connected at layer 2

-Commonly implemented with IPsec
–L2TP for the tunnel, IP sec for the encryption
–L2TP over IPsec (L2TP/IPsec)

Question 18

What is the Authentication Header (AH)?

Answer 18

-Hash of the packet and a shared key
–SHA-2 is common
–Adds the AH to the packet header

-This doesn’t provide encryption
–Provides data integrity (hash)
–Guarantees the data origin (authentication)
–Prevents repla attacks (sequence numbers)

Question 19

What is ESP?

Answer 19

-Encapsulation Security Payload

-Encrypts and authenticates the tunneled data
–Commonly uses SHA-2 for hash, AES for encryption
–Adds a header, a trailer, and an integrity check value

-Combine with Authentication Header (AH) for integrity and authentication of the outer header

Question 20

What is Broadcast?

Answer 20

-Sends information to everyone at once
–One frame or packet, received by everyone
–Every device must examine the broadcast

-Limited scope
–The broadcast domain

-Routing updates, ARP requests
–Can add up quickly

-Malicious software or a bad NIC
–Not always normal traffic

-Not used in IPv6
–Focus on multicast

Question 21

What is broadcast storm control?

Answer 21

-The switch can control broadcasts
–Limit the number of broadcasts per second

-Can often be used to control multicast and unknown unicast traffic
–Tight security posture

-Manage by specific values or by percentage
–Or the change over normal traffic patterns

Question 22

What is loop protection?

Answer 22

-Connect two switches to each other
–They’ll send traffic back and forth forever
–There’s no “counting” mechanism at the MAC layer

-This is an easy way to bring down a network
–And somewhat easy to resolve

-IEEE standard 802.1D to prevent loops in bridged (switch) networks (1990)
–Created by Radia Perlman
–Used practically everywhere

Question 23

What is a BPDU gaurd?

Answer 23

-Spanning tree takes time to determine if a switch port should forward frames
–Bypass the listening and learning states
–Cisco calls this PortFast

-BPDU (Bridge Protocol Data Unit)
–The Spanning tree control protocol

-If a BPDU frame is seen on a Portfast configured interface (i.e, a workstation), shut down the interface
–This shouldn’t happen
–Workstations don’t send BPDUs

Question 24

What is DHCP snooping?

Answer 24

-IP tracking on a layer 2 device (switch)
–The switch is a DHCP firewall
–Trusted: Routers, switches, DHCP servers
–Untrusted: Other computers, unofficial DHCP servers

-Switch watches for DHCP conversations
–Adds a list of untrusted devices to a table

-Filters invalid IP and DHCP information
–Static IP addresses
–Devices acting as DHCP servers
–Other invalid traffic patterns

Question 25

What is MAC filtering?

Answer 25

-Media Access Control --The "hardware" address -Limit access through the physical hardware address --Keeps the neighbors out --Additional administration with visitors -Easy to find working MAC addresses through wireless LAN analysis --MAC addresses can be spoofed --Free open-source software

Question 26

What is out-of-band management?

Answer 26

-The network isn't available --Or the device isn't accesssible from the network -Most devices have a seperate management interface --Usually a serial connection / USB -Connect a modem --Dial-in to manage the device -Console router / comm server --Out-of-band access for multiple devices --Connect to the console router, then choose where you want to go

Question 27

What is the need for QoS?

Answer 27

-Quality of Service -Many different devices --Desktop, laptop, VoIP phone, mobile devices -Many different applications --Mission critical applications, streaming video, video, streaming audio -Different apps have different network requirements --Voice is real-time --Recorded streaming video has a buffer --Database application is interactive -Some applications are "more important" than others --Voice traffic needs to have priority over YouTube --Prioritize traffic performance --Voice over IP traffic has priority over web-browsing --Prioritize by maximum bandwidth, traffic rate, VLAN, etc. -Quality of service --Describes the process of controlling traffic flows -Many different methods --Across many different topologies

Question 28

What's different about IPv6 regarding security?

Answer 28

-More IP address space --More difficult to IP/port scan (but not impossible) --The tools already support IPv6 -No need for NAT --NAT is not a security feature -Some attacks disappear --No ARP, so no ARP spoofing -New attacks will appear --For example, Neighbor Cache Exhaustion

Question 29

What are Taps and Port mirrors?

Answer 29

-Intercept network traffioc --Send a copy to a packet capture device -Physical Taps --Disconnect the link, put a tap in the middle --Can be an active or passive tap -Port Mirror --Port Redirection, SPAN (Switched Port ANalyzer) --Software-based tap --Limited functionality, but can work well in a pinch

Question 30

What is FIM?

Answer 30

-File Integrity Monitoring -Some files change all the time --Some files should NEVER change -Monitor important operating system and application files --Identify when changes occur -Windows - SFC (System file Checker) -Linux - Tripwire -Many host-based IPS options

Question 31

Explain Network-based Firewalls

Answer 31

-Filter traffic by port number or application --Traditional vs. NGFW firewalls -Encrypt traffic --VPN between sites -Most firewalls can be layer 3 devices (routers) --Often sits on the ingress/egress of the network --Network Address Translation (NAT) functionality --Authenticate dynamic routing communication

Question 32

What is a stateless firewall?

Answer 32

-Does not keep track of traffic flows --Each packet is individually examined, regardless of past history --Traffic sent outside of an active session will traverse a stateless firewall -- one that doesn't store information about the current state of a network connection.

Question 33

What is a stateful firewall?

Answer 33

-Stateful firewalls remember the "state" of the sessions --Everything within a valid flow is allowed --a kind of firewall that keeps track and monitors the state of active network connections while analyzing incoming traffic and looking for potential traffic and data risks.

Question 34

What is a UTM?

Answer 34

-Unified Threat Management (UTM ) / Web security gaeway -All in one security appliance --URL filter / Content Inspection --Malware Inspection --Spam filter --CSU/DSU --Router, Switch --Firewall --IDS/IPS --Bandwidth shaper --VPN endpoint

Question 35

What is WAF?

Answer 35

-Web Application Firewall -Not like a "normal" firewall --Applies rules to HTTP/HTTPS conversations -Allow or deny based on expected input --Unexpected input is a common method of exploiting an application -SQL injection --Add your own commands to an application's SQL query -A major focus of Payment Card Industry Data Security Standard (PCI DSS)

Question 36

Explain Firewall Characteristics

Answer 36

-Open-Source vs. Proprietary --Open-source provides traditional firewall functionality --Proprietary features include application control and high-speed hardware -Hardware vs. software --Purpose-built hardware provides efficient and flexible connectivity options --Software-based firewalls can be installed almost anywhere -Appliance vs. host-based vs virtual --Appliances provide the fastest throughput --Host-based firewalls are application-aware and can view non-encrypted data --Virtual firewalls provide valuable East/West network security

Question 37

Explain Edge vs. Access control

Answer 37

-Control at the edge --Your internet link --Managed primarily through firewall rules --Firewall rules rarely change -Access Control --Control from wherever you are ==inside or outside --Access can be based on man rules ==By user, group, location, application, etc. --Access can be easily revoked or changed ==Change your security posture at any time

Question 38

Explain the different Agents

Answer 38

-Persistent agents --Permanently installed onto a system --Periodic updates may be required -Dissolvable agents --No installation is required --Runs during the posture assessment --Terminates when no longer required -Agentless NAC --Integrated with Active Directory --Checks are made during login and logoff --Can't be scheduled

Question 39

What is a Proxy?

Answer 39

-Sits between the users and the external network -Receives the users requests and sends the request on their behalf (the proxy) -Useful for caching information, access control, URL filtering, content scanning -Applications may need to know how to use the proxy (explicit) -Some proxies are invisible (transparent)

Question 40

What is a Application Proxy?

Answer 40

- One of the simplest "proxies" is NAT --A network-level proxy -Most proxies in use are application proxies --The proxy understands the way the application works -A proxy ay only know one application --HTTP -Many proxies are multipurpose proxies --HTTP, HTTPS, FTP, etc.

Question 41

What is a Forward Proxy?

Answer 41

-An "Internal Proxy" --Commonly used to protect and control user access to the internet

Question 42

What is a Reverse Proxy?

Answer 42

-Inbound traffic from the internet to your internal service

Question 43

What is a Open Proxy?

Answer 43

-A third-party, uncontrolled proxy --Can be a significant security concern -Often used to circumvent existing security controls

Question 44

What is Passive monitoring?

Answer 44

-Examine a copy of the traffic --Port mirrir (SPAN), network tap - No way to block (prevent) traffic

Question 45

What is out-of-band response?

Answer 45

-When malicious traffic is identified, IPS sends TCP RST (reset) frames --After-the-fact --Limited UDP response available

Question 46

What is Inline monitoring?

Answer 46

-IDS/IPS sits physically inline --All traffic passes through the IDS/IPS

Question 47

What is In-band response?

Answer 47

-Malicious traffic is immediately identified --Dropped at the IPS --Does not proceed through the network

Question 48

List the Identification Technologies

Answer 48

-Signature-based --Look for a perfect match -Anomaly-based --Build a baseline of what's "normal" -Behavior-based --Observe and report -Heuristics --Use artificial intelligence to identify

Question 49

What is a Jump Server?

Answer 49

-Access secure network zones --Provides an access mechanism to a protected network -Highly-secured device --Hardened and monitored -SSH / Tunnel / VPN to the jump from there -A significant security concern --Compromise to the jump server is a significant breach

Question 50

What is the HSM?

Answer 50

-Hardware Security Module -Used in large environments --Clusters, redundant power -High-end cryptographic hardware --Plug-in card or separate hardware device -Key backup --Secured storage -Cryptographic accelerators --Offload that CPU overhead from other devices