3.3 - Given a scenario, implement secure network designs.

Question 1

Load balancing

Question 2

• Active/active

Question 3

• Active/passive

Question 4

• Scheduling

Question 5

• Virtual IP

Question 6

• Persistence

Question 7

Network segmentation

Question 8

VLAN

Answer 8

Virtual local area network

Chapple 365
Gibson 93
Weiss 342-345

Question 9

• Screened subnet (previously
  known as demilitarized zone)

Answer 9

Chapple
Gibson
Weiss

Question 10

• East-west traffic

Question 11

• Extranet

Question 12

• Intranet

Question 13

• Zero Trust

Question 14

Virtual private network (VPN)

Question 15

• Always-on

Question 16

• Split tunnel vs. full tunnel

Question 17

• Remote access vs. site-to-site

Question 18

• IPSec

Question 19

• SSL/TLS

Question 20

• HTML5

Question 21

• Layer 2 tunneling protocol (L2TP)

Question 22

Out-of-band management

Question 23

Port security

Question 24

Port security - Broadcast storm prevention

Question 25

- Bridge Protocol Data Unit (BPDU) guard

Question 26

- Loop prevention

Question 27

- Dynamic Host Configuration Protocol (DHCP) snooping

Question 28

- Media access control (MAC) filtering

Question 29

Jump servers

Answer 29

Access secure network zones – Provides an access mechanism to a protected network Highly-secured device – Hardened and monitored SSH / Tunnel / VPN to the jump server – RDP, SSH, or jump from there A significant security concern – Compromise to the jump server is a significant breach

Question 30

Network appliances - Proxy servers

Question 31

Proxy servers - Forward

Question 32

Proxy servers - Reverse

Question 33

Network appliances - Network-based intrusion detection system (NIDS)/network-based intrusion prevention system (NIPS)

Question 34

Network-based intrusion detection system (NIDS)/network-based intrusion prevention system (NIPS) - - Signature-based

Question 35

Network-based intrusion detection system (NIDS)/network-based intrusion prevention system (NIPS) - Heuristic/behavior

Question 36

Network-based intrusion detection system (NIDS)/network-based intrusion prevention system (NIPS) - Anomaly

Question 37

Network-based intrusion detection system (NIDS)/network-based intrusion prevention system (NIPS) - Inline vs. passive

Question 38

- HSM

Answer 38

Hardware Security Module (HSM) * High-end cryptographic hardware – Plug-in card or separate hardware device * Key backup – Secured storage * Cryptographic accelerators – Offload that CPU overhead from other devices * Used in large environments Clusters, redundant power

Question 39

- Sensors

Question 40

- Collectors

Question 41

- Aggregators

Question 42

Firewalls

Question 43

Web application firewall (WAF)

Answer 43

-work at app layer -sits in front of web serv. > receives all net. traffic headed to the serv. > scrutinizes input headed to app/performing input validation b4 passing input to web serv. -prevent mal. traffic from reaching web serv. + acts as part of layered defense against web app vulns.

Question 44

- NGFW

Question 45

- Stateful

Question 46

- Stateless

Question 47

- Unified threat management (UTM)

Question 48

- Network address translation (NAT) gateway

Question 49

- Content/URL filter

Question 50

- Open-source vs. proprietary

Question 51

- Hardware vs. software

Question 52

- Appliance vs. host-based vs. virtual

Question 53

ACL

Answer 53

Access control lists (ACLs) – Allow or disallow traffic based on tuples – Groupings of categories – Source IP, Destination IP, port number, time of day, application, etc.

Question 54

Route security

Question 55

Quality of service (QoS)

Question 56

Implications of IPv6

Question 57

Port spanning/port mirroring

Question 58

Port spanning/port mirroring - Port taps

Question 59

Monitoring services

Question 60

File integrity monitors