3.3 Secure Network Design

Question 1

Load balancing

Answer 1

Spreads network loads across a set of resources.

Used for websites, high bandwidth files, IRC (Internet Relay Chat)

Question 2

Active/Active

Answer 2

Two servers working together to distribute the load.

Question 3

Active/Passive

Answer 3

One server active and the second server or more is just observing ready to take over if the primary server fails.

Question 4

Scheduling

Answer 4

A algorithm decides which machine receives the load.

Types of scheduling:
Affinity-based & Round-Robin

Question 5

Affinity-Based Scheduling

Answer 5

Keeps the host connected to the same server for the entire session.
Directs all load balancing back to the same server.

Question 6

Round-Robin Scheduling

Answer 6

Sends request to a new server each time, dose not matter how big the request is.

Question 7

Virtual IP

Answer 7

Server creates virtual IPs to give to the end users so the request data from that server.

Question 8

Persistence

Answer 8

Uses Affinity Scheduling, connects to the same target(server) in a load balancing system.

Question 9

Network Segmentation

Answer 9

Separates servers or network devices off the Internet.

Question 10

VLAN

Answer 10

Virtual Local Area Network

A LAN set of devices that are connected to a switch.
A VLAN is the same thing but is ran by software.
A trunk is used to send packets to other VLAN for communication.

Question 11

Screened Subnet

Answer 11

Buffer zone between Untrusted network (Internet) and Trusted Network. Accomplished by placing Hardening devices between the two.

Question 12

East-West Traffic

Answer 12

Data that flows through a enterprise

Question 13

North-South Traffic

Answer 13

Data that flows outside the the enterprise.

Question 14

Extranet

Answer 14

It is semi private network that allows users to request information from the Internet but masks the IP address by using a VPN.

Question 15

Intranet

Answer 15

Private Network that only allows downloaded data to be shared across its network.

It can get information from the internet by using a proxy server and a cache server to slow down request for that same thing.

Proxy sever also stop inappropriate content from being shared.

Question 16

Zero Trust

Answer 16

Security Model that doesn’t allow you to trust anyone without validating ID

Question 17

VPN

Answer 17

Virtual Private Network
Protocols that allow packets to be sent across a unsecured network.
VPNs work because only the endpoints can decrypt the message.
Protocols: SSH, IPSec, L2TP, SSL/TLS

Question 18

Always On

Answer 18

When a VPN senses a internet connection its auto-mantically turns on

Question 19

Split tunnel vs. full tunnel

Answer 19

Splitting Traffic from a VPN. Increases speed but some packets are insecure.

Full gives full protection over the network

Question 20

Site-to-Site

Answer 20

Encrypting traffic when connecting to a intermediary (public Internet)

Question 21

Remote

Answer 21

Allows connection to a specific network.

Question 22

IPSec

Answer 22

Protocol on how packets are sent two ways.

Transport mode encrypts the data being sent.

Tunnel Mode encrypts the destination.

Security Association combines both.

Question 23

SSL/TLS

Answer 23

Transport Layer across the Web

Question 24

HTML5

Answer 24

Current version of HTML. Used to develop web page content.
Newer version can connects to a VPN and can connect to more devices such as mobile.

Question 25

L2TP

Answer 25

Layer 2 Tunnel Protocol

Question 26

DNS

Answer 26

DNSSEC is a DNS protocol that validates the DNS.

Question 27

NAC

Answer 27

Network Access Control
A methodology that manages end-point devices.
Used to control who connects to the network.

Question 28

NAC Agent

Answer 28

NAC is installed on the host device itself

Question 29

NAC Agentless

Answer 29

NAC Agentless code that is stored within the memory.

Question 30

Out-of-Band Management

Answer 30

In-band Managements- a system that is directly connected to the physical data flow.

Out-band Management - a system that is separate from the neatwork itself in case a physical connection is not available.

Question 31

Port Security

Answer 31

controls the devices that is connected to your switch through MAC.

Question 32

Port Security types

Answer 32

Static Learning- Assigned Device connects to a switch MAC is stored.

Dynamic Learning- MAC is stored as they connect.

Sticky Learning- Multiple MACs are connected to a single port switch.

Question 33

Flood Guards

Answer 33

Monitors Traffic and drops connection when there is too much traffic

Question 34

BPDU

Answer 34

Bridge Protocol Data Unit

Blocks BPDU packets to stop a DOS Attack.

Question 35

Loop Prevention

Question 36

DHCP Snooping

Answer 36

Prevents malicious DHCP servers from connecting to good DHCP servers on the switch level.

Question 37

MAC filtering

Answer 37

allows you to block traffic coming from certain known machines or devices

Question 38

Jump Servers

Answer 38

Connect to a jump host before connecting a protected network.

Basically using a middle man connection to connect to the important stuff

Question 39

Proxy Servers

Answer 39

Servers that stop users from accessing bad websites

Question 40

Types of Proxy Server

Answer 40

Forward proxy- protects the client

Reverse- Protects the server.

Question 41

NIDS

Answer 41

Network Intrusion Detection System

Detects and logs unauthorized network activity.

Question 42

NIPS

Answer 42

Network Intrusion Prevention System

Same as NIDS but takes action.

Question 43

NIPS (IDS way of identifying)

Answer 43

Signature-based- pre downloaded signatures that the IDS looks for.

Heuristic/Behavior- Uses AI or pre assigned rules t identify IDS.

Anomaly- deviation from any normal behavior.

Question 44

NIPS/NIDS In-Band/Out-band Passive

Answer 44

In-Band- a sensor that looks for malicious traffic on a network.

Out-band- Looks for things on wider spectrum.

Question 45

HSM

Answer 45

Hardware Security Module- a DEVICE that allows you to store encryption keys.

Used to keep passwords off a network

Question 46

ACL

Answer 46

Access Control List-

List of host that can make configurations to the network

Question 47

Routing Security

Answer 47

Protocols that set in place so that packets are secure and enable network functionality

Question 48

Q&S

Answer 48

Quality of Service-
Technologies used for to manga a networks bandwidth, latency, jitter, and error rates.

Admin can allocate what packets are a priority through this.

Question 49

Port Mirror/SPAN

Answer 49

Switch port Analyzer- ability to copy one or more ports

Question 50

Port Traps/TAPS

Answer 50

Test Access Point- hardware within a network that can copy all the packets that been sent through. \

Not good because that can be used in a Man-in-the-middle-attack.

Question 51

Monitoring Services/NSM

Answer 51

Network Security Monitoring- A SERVICE that analyze network activity and alerting if network defenses have failed.