3.3 - Given a scenario, implement secure network designs.

Question 1

Load balancing

Question 2

• Active/active

Question 3

• Active/passive

Question 4

• Scheduling

Question 5

• Virtual IP

Question 6

• Persistence

Question 7

Network segmentation

Question 8

VLAN

Answer 8

Virtual local area network

Chapple 365
Gibson 93
Weiss 342-345

Question 9

• Screened subnet (previously
  known as demilitarized zone)

Answer 9

Chapple
Gibson
Weiss

Question 10

• East-west traffic

Question 11

• Extranet

Question 12

• Intranet

Question 13

• Zero Trust

Question 14

Virtual private network (VPN)

Question 15

• Always-on

Question 16

• Split tunnel vs. full tunnel

Question 17

• Remote access vs. site-to-site

Question 18

• IPSec

Question 19

• SSL/TLS

Question 20

• HTML5

Question 21

• Layer 2 tunneling protocol (L2TP)

Question 22

Out-of-band management

Question 23

Port security

Question 24

Port security - Broadcast storm prevention

Question 25

• Bridge Protocol Data Unit (BPDU) guard

Question 26

• Loop prevention

Question 27

• Dynamic Host Configuration
  Protocol (DHCP) snooping

Question 28

• Media access control (MAC) filtering

Question 29

Jump servers

Answer 29

Access secure network zones
– Provides an access mechanism
to a protected network

Highly-secured device
– Hardened and monitored

SSH / Tunnel / VPN to
the jump server
– RDP, SSH, or jump from there

A significant security concern
– Compromise to the
jump server is
a significant breach

Question 30

Network appliances - Proxy servers

Question 31

Proxy servers - Forward

Question 32

Proxy servers - Reverse

Question 33

Network appliances - Network-based intrusion detection
system (NIDS)/network-based intrusion prevention system (NIPS)

Question 34

Network-based intrusion detection
system (NIDS)/network-based intrusion prevention system (NIPS) - - Signature-based

Question 35

Network-based intrusion detection
system (NIDS)/network-based intrusion prevention system (NIPS) - Heuristic/behavior

Question 36

Network-based intrusion detection
system (NIDS)/network-based intrusion prevention system (NIPS) - Anomaly

Question 37

Network-based intrusion detection
system (NIDS)/network-based intrusion prevention system (NIPS) - Inline vs. passive

Question 38

• HSM

Answer 38

Hardware Security Module (HSM)
* High-end cryptographic hardware
– Plug-in card or separate hardware device
* Key backup
– Secured storage
* Cryptographic accelerators
– Offload that CPU overhead
from other devices
* Used in large environments Clusters, redundant power

Question 39

• Sensors

Question 40

• Collectors

Question 41

• Aggregators

Question 42

Firewalls

Question 43

Web application firewall (WAF)

Answer 43

-work at app layer
-sits in front of web serv. > receives all net. traffic headed to the serv.
> scrutinizes input headed to app/performing input validation b4 passing input to web serv.
-prevent mal. traffic from reaching web serv. + acts as part of layered defense against web app vulns.

Question 44

• NGFW

Question 45

• Stateful

Question 46

• Stateless

Question 47

• Unified threat management (UTM)

Question 48

• Network address translation (NAT) gateway

Question 49

• Content/URL filter

Question 50

• Open-source vs. proprietary

Question 51

• Hardware vs. software

Question 52

• Appliance vs. host-based vs. virtual

Question 53

ACL

Answer 53

Access control lists (ACLs)
– Allow or disallow traffic based on tuples
– Groupings of categories
– Source IP, Destination IP, port number, time of day,
application, etc.

Question 54

Route security

Question 55

Quality of service (QoS)

Question 56

Implications of IPv6

Question 57

Port spanning/port mirroring

Question 58

Port spanning/port mirroring - Port taps

Question 59

Monitoring services

Question 60

File integrity monitors