Secure a Network Infrastructure Flashcards
Windows Firewall Software Defined Firewall IPSec DNSSEC SMB Message Analyzer
1
Q
In which version of the Windows was the Windows (Defender) Firewall with Advanced Security MMC introduced?
A
Windows Vista / Server 2008 R1
2
Q
What is the difference between the Windows Firewall M MC and the Windows Firewall control panel applet?
A
The MMC extension is far more configurable and intended for administrative use.
The Control Panel Applet allows for easier management of the more basic features. It is geared towards consumer use.
3
Q
When configured through Windows Firewall, what functionality does IPSec offer?
A
IPSec enables the requiring of authentication from any device attempting to communicate with your device.
IPSec also can require that specific network traffic be encrypted.
4
Q
What is the purpose of an isolation policy?
A
Domain isolation policies prevent devices joined to the domain from receiving unsolicited network traffic from devices that are not domain joined.
5
Q
What is a boundary zone?
A
Boundary zones are for devices that must be able to receive requests from devices that are not isolated devices.
6
Q
What is an encryption zone?
A
Encryption zones are for devices that store sensitive data and must be protected during network transmission.
7
Q
What is a Connection Security Rule?
A
A rule in Windows Defender Firewall that contains a set of conditions and an action to be applied to network packets that match the condition. Can be configured to allow, block, or even require the packet to be protected by IPSec. Formerly referred to as an IPSec rule.
8
Q
What is Certificate-based Isolation?
A
Certificate-based Isolation allows for adding devices that do not support Kerberos v5 into an isolated domain. Every device in the isolated domain that is unable to use Kerb v5 are given a device certificate that can allow them to authenticate with one another.
9
Q
What are reasons to have a Host-Based Firewall?
A
Host-based firewalls secure devices by dropping all network traffic that does not match the administrator-designated rule set for permitted network traffic.
10
Q
What are the benefits of using a Basic Firewall Policy Design doctrine?
A
- Network traffic that is a reply to a request from the local device is permitted.
- Network traffic that is unsolicited and matches a rule for allowed traffic is permitted
- Outbound traffic not specifically blocked is permitted
11
Q
What mechanism of Windows Firewall can be used to restrict access to only trusted devices?
A
Connection Security Rules
12
Q
In general, how do you secure a network from untrusted devices?
A
Authenticate traffic. This way only authenticated traffic is permitted to core resources.
13
Q
In general, how do you obtain isolation using Windows Firewall?
A
Use Connection Security Rules to restrict traffic to be authenticated either with certificates or with Kerberos v5 in the AD domain
14
Q
What are the benefits of domain isolation using Windows Firewall?
A
- Devices in the isolated domain accept unsolicited inbound traffic only when it can be authenticated as coming from another device in the domain. Exemption rules can be configured to allow inbound traffic from computers unable to utilize IPSec.
- Devices in the isolated domain can still send outbound traffic to untrusted devices and receive responses to the outbound requests.
15
Q
How would you equip devices in a boundary zone to communicate with both protected internal devices and unprotected external devices?
A
Boundary zones would be configured to use connection security rules that request and do not require authentication.
16
Q
What are the benefits of using Windows Defender Firewall?
A
Reducing the risk of network security threats.
Safeguard sensitive data and intellectual property
Extend value of existing investments
17
Q
Does Windows Firewall encrypt traffic by default?
A
No. Windows Firewall makes no attempt to encrypt traffic by default. However, this can be enabled.
18
Q
What does requiring authentication for connections not protect against?
A
Eavesdropping on the network traffic shared between two hosts if the traffic is unencrypted.
19
Q
What are the benefits of encrypting traffic with Windows Firewall?
A
- Devices in the encryption zone require authentication to communicate with other devices
- Devices in the encryption zone require all inbound and outbound traffic to be encrypted
- Devices in the encryption zone are good candidates for isolation.
20
Q
What are Network Access Groups (NAGs)?
A
Groups authorized to access a device that has its access restricted using Windows Defender Firewall.
21
Q
How do you create a virtual “secure zone” within a domain isolation zone?
A
Configure Windows Firewall to restrict access to members of certain groups using Network Access groups.
22
Q
What are the features of restricting access to servers to specific users and groups?
A
- Isolated services accept unsolicited inbound traffic only from devices that are members of the NAG
- Isolated servers can be implemented as part of an isolated domain and treated as another zone
- Server isolation can be configured independently of an isolated domain
- Server isolation zone can be simultaneously configured as an encryption zone
23
Q
Why is AD Group Policy recommended as the configuration point of all Connection Security Rules?
A
AD Group Policy supports centralized management of all connection security rules. These rules can be applied, via GPO, to target servers or server groups (OUs).
24
Q
You have configured server isolation using connection security rules. You need to configure those servers to be part of your encryption zone. What else would need to be configured?
A
Configure the devices with rules that force encryption along with restricting access to NAG members.
25
You have configured server isolation using connection security rules. You also need to configure those servers to be part of an isolated domain. What else would need to be configured?
Configure only devices that must communicate with the server with connection security rules to implement authentication and check NAG membership.
26
What is the benefit of using IPSec over just using Windows Firewall?
- Windows Firewall can restrict access on a given port to alist of defined source IPs
- IPSec allows the use of computer groups and dynamic IPs allow for more flexible security.
- In effect, IPSec allows for building identity-based Firewall Rules.
27
Can you utilize IPSec and the Windows Firewall in tandem?
Yes. In fact, IPSec requires the use of the Windows Firewall.
NOTE: Some 3rd party solutions are not compatible with the Windows Firewall and may disable the use of IPSec.
28
Are there any port requirements to using IPSec with Windows Firewall?
UDP 500 (IKE) is used during the key exchange
29
Where must Connection Security RUles be configured to ensure that two computers can create an IPSec connection?
Since both systems must agree on the parameters of the connection, connection security rules are required for both the source and the destination.
30
What is a Security Association?
Security Associations are created once two systems have agreed upon IPSec parameters, authenticated each other, exchanged key material, and agreed upon encryption and hashing algorithms.
31
Where do you configure a connection security rule?
- Windows Firewall MMC
- Group Policy via Computer Configuration \ Windows Settings \ Security Settings \ Windows Firewall with Advanced Security
32
What is the impact of a misconfigured Connection Security Rule?
A misconfigured CSR could very easily prevent a device from connecting on the network or being accessed. Undoing the damage may require console access to correct.
33
How do you create a Connection Security Rule?
- Launch the Windows Firewall with Advanced Security MMC or use Group Policy and load the Windows Firewall with Advanced Security section
- Right-Click "Connection Security Rule" \ Choose "New Rule"
34
What different types of settings can be configured in a Connection Security Rule?
- Isolation Rules that restrict connections based on authentication criteria, such as domain membership or health status.
- Authentication Exemptions that do not authenticate connections from specified computers
- Server-to-Server authenticates connections between specified computers
- Tunnel will authenticate connections between two computers
- Custom rules
35
In a connection security rule, how do you determine which systems are inbound or outbound systems?
Endpoints are where you specify the sides of the connection (Endpoint 1 and Endpoint 2)
Protocol and ports allows for selecting which ports on which side are being used. Since most apps use randomized source ports "All ports" usually specifies the sender.
36
What different authentication requirements can be configured for Connection Security Rules?
- Request authentication for inbound and outbound connections
- Require authentication for inbound connections and request authentication for outbound connections
- Require authentication for inbound and outbound connections
- Do not authenticate.
37
What different authentication methods can be chosen from via Connection Security Rules?
- Default (uses methods specified in IPSec Settings)
- Computer and User (Kerberos v5)
- Computer (Kerberos v5)
- Advanced (allows for customizing)
38
You have configured a connection security rule, what else needs done for a system to require authenticated connection?
Configure a firewall rule for the given protocol or application and specify that the connection must be secure "Allow the connection if it is secure"
39
You've configured connection security rules and restricted access to your systems. The networking team has reached out and informed you that they are unable to perform network packet inspection. What can you do to ensure that they can still perform this task?
On the firewall rule where "Allow the connection if it is secure" is configured, click customize and configure "Allow the connection to use null encapsulation".
40
Where do you see if Security Associations have been established to a system?
Launch Firewall MMC \ Expand Monitoring \ Expand Security Associations \ expand "Main Mode"
41
Which Windows Firewall designs would provide the ability to protect devices from unwanted network traffic?
- Basic Firewall design
- Domain Isolation Policy Design
- Server Isolation Policy Design
- Certificate-based Isolation policy design
42
Which Windows Firewall designs would restrict access to only trusted devices?
- Domain Isolation Policy Design
- Server Isolation Policy Design
- Certificate-based Isolation Policy Design
43
Which Windows Firewall design would allow access only to specified users or devices?
- Server Isolation Policy Design
| - Certificate-based Isolation Policy Design
44
In which version of Windows was the ability for most roles and features to auto-add their firewall configurations to the Windows Firewall added?
Server 2000
45
What is the function of Software Defined Networking?
- SDN provides a method to centrally configure and manage physical and virtual network devices such as routers, switches, and gateways
- Allows for deeper integration between virtual networks and physical networks.
46
What version of Windows is required for Hyper-V hosts to utilize SDN infrastructure?
Server 2016 Datacenter
47
What are some things that SDN Can do?
- Dynamically create, secure, and connect the network to meet the needs of applications.
- Speed up the deployment of workloads in a non-disruptive manner
- Contain security vulnerabilities from spreading across the network
- Define and control policies that govern both physical and virtual networks.
- Implement network policies consistently at scale.
- SDN can help reduce overall network infrastructure costs
48
What is "Datacenter Firewall"?
Datacenter Firewall is a new service in Server 2016. It is a network-layer, stateful, multitenant firewall that allows for tenant administrators to configure firewall policies to protect their virtual networks from unwanted traffic originating from the internet and adjacent intranet networks
49
What are the advantages of Datacenter Firewall?
- Scalable, manageable, and diagnosable software-based firewall that can be offered to tenants.
- Freedom to move tenant virtual switches to different compute hosts without breaking tenant firewall policies
- Offers protection to tenant VMs independent of the guest OS
- Allows tenants to define firewall rules to help protect internet-facing workloads
- Allows tenants to define firewall rules to help protect traffic on the same L2 subnet
- Allows tenants to define firewall rules to help isolate traffic between on-prem and virtual networks at the service provider.
50
What is a Network Controller?
Network controllers provide a centralized, programmable point of automation to manage, configure, monitor, and troubleshoot both physical and virtual network infrastructure. The configuration of the network infrastructure can be automated with a network controller.
51
What different APIs are supported by a Network Controller?
Southbound API - Allows Network Controller to communicate with the network.
Northbound API - Allows you to communicate with the network controller
52
What specific types of infrastructure can be managed with a network controller?
- Hyper-V VMs and Virtual Switches
- Physical Network Switches
- Physical Network Routers
- Firewall Software
- VPN Gateways (including RAS Multitenant gateways)
- Load Balancers
53
What is Hyper-V Network Virtualization?
Hyper-V Network Virtualization helps abstract applications and workloads from the physical network by using virtual networks. Virtual networks provide necessary multi-tenant isolation by running on a shared physical network fabric
54
What is a Hyper-V virtual switch?
Hyper-V virtual switch is a software-based layer-2 Ethernet switch available in Hyper-V manager after Hyper-V has been installed.
Hyper-V switches are programmatically managed and include extensible capabilities to connect VMs to both virtual and physical networks.
55
What is iDNS?
Since VMs and apps require DNS to communicate, iDNS provides tenants with DNS name resolution for isolated, local namespaces and internet resources.
56
What different technologies fall under Network Function Virtualization?
- Software Load Balancer (SLB) and Network Address Translation (NAT)
- Data Center Firewall
- RAS Gateway for SDN
57
What is the difference between network perimeter firewalls and host-based firewalls?
Network perimeter firewalls are found on the boundary between an internal and external network. Can be either hardware or software and provide many features
Host-based firewalls run on individual systems within the network. They provide a second layer of defense from attacks and unauthorized access. They also block specific types of access.
58
What settings can be configured in the Windows 10 Advanced Sharing Settings?
- Turn off network discovery
- Turn off file and printer sharing
- Turn off HomeGroup connections
- Turn on or off public folder sharing
- Turn on or off media streaming
- Encryption for file sharing connections
59
In Windows 10 Advanced Sharing Settings, what does Network Discovery do?
When enabled this will search for other devices on the network and allow other computers and devices on the network to find Windows-based computers
60
What are the different locations in Advanced Sharing?
Home Network
Work Network
Public Network
Domain Network
61
In which Windows network location are systems considered trusted and discovery and homegroups are turned on?
Home network
62
Which network location is intended for small offices that may want network discovery turned on?
Work Network
63
Which network location has discovery and homegroup turned off?
Public Network
64
How do you enable or disable Network Discovery on a Server?
Start \ Settings \ Network & Internet \ Ethernet \ Choose the Network connection \ Network Page
Toggle "Make this PC discoverable"
65
What is the difference between the Windows Firewall Network Profiles?
- The domain profile is used when the system is joined to a corporate network and can authenticate to the domain via one of its connections
- The private profile is used in a secured location that is located behind a firewall with NAT
- Public is used as the default if no other profile is selected and is intended for untrusted/unsecured networks.
66
On any of the profile tabs in Windows Firewall Properties, what can be configured?
- Firewall can be turned on or off
- Inbound/Outbound connections can be configured to allowed or blocked
- Protected Network Connections can be configured
- Settings can be configured to control display notifications, allow unicast or broadcast, rule merging, etc.
- Logging can be configured
67
What is Rule Merging in Windows Firewall?
Rule Merging is configured as part of the Firewall Properties per profile and allows, or disallows, the usage of locally configured firewall rules with GPO based rules.
68
What settings may be configured under the Windows Firewall Properties IPSec Settings tab?
- IPSec Defaults - Determine how the computer will establish a secure connection
- IPSec Exemptions - Enable to except ICMP to simplify troubleshooting
- IPSec Tunnel Authorization - Allow for specifying users and computers authorized to establish IPSec tunnel connections.
69
If different Windows Firewall rules conflict, how are the conflicts managed.
1. Authenticated Bypass rules
- Basically: IPsec is allowing authenticated access
2. Block Connection
3. Allow Connection
4. Default Rule Behavior
70
You wish to configure a connection security rule to allow connections from computers in your research subnet. How would you configure these rules using Connection Security Policies?
You won't. Connection security rules specify how and when authentication occurs. They do not allow connections. Use inbound/outbound rules to allow or deny connections.
71
What powershell cmdlet enables a firewall rule?
Enable-NetFirewallRule
72
What Powershell cmdlet will disable a firewall rule?
Disable-NetFirewallRule
73
What Powershell cmdlet will retrieve all available rules from a target system?
Get-NetFirewallRule
74
How would you create a new Firewall rule to block port 80 outbound?
New-NetFirewallRule -DisplayName "Block 80 out" -Direction Outbound -LocalPort 80 -Protocol TCP -Action Block
75
Which Powershell command would be used to modify an existing firewall rule?
Set-NetFirewallRule
76
What are the different configurable flavors of connection security rules?
- Isolation
- Authentication Exemption
- Server-to-Server
- Tunnel
- Custom
77
What is an Isolation Connection Security Rule?
It isolates computers based on credentials. Is used to implement an isolation strategy for servers or domains.
78
What is an Authentication Exemption Connection Security Rule?
Designates connections that do not require authentication based on specific IP, IP Range, subnet, or other data.
79
What is a Server-to-Server Connection Security Rule?
Helps protect connections between gateway computers.
80
What are Custom Connection Security Rules?
Use a custom rule to authenticate connections between two endpoints when the other rules cannot be used.
81
What settings are required inside a Connection Security Rule?
- Requirements: Authentication
- Authentication Method: Default (IPSec) or Kerberos
- Profile: Domain, Private, Public
- Exempt Computers
- Endpoints: For server-to-server rules
- Tunnel Endpoints: Tunnel rules only
82
What different authentication methods can be used inside a Connection Security Rule?
- Default - Uses IPSec configuration to determine auth method
- Computer and User (Kerberos v5) - Restricts communications to connections from domain-joined users and computers
- Computer (Kerberos v5) - Restricts communications to domain-joined computers
- Advanced - Custom. Can be Computer (KerbV5), Computer (NTLMv2), computer certificate, or preshared key. Can use a second method for auth too.
83
ON which systems does the connection security rule need to be created, sending or receiving?
Both. It must be configured on either side of the connection.
84
How do you create a Connection Security Rule using Windows Firewall with Advanced Security?
1. Windows Firewall with Advanced Security
2. Right-Click "Connection Security Rules" \ New Rule
3. Select the Rule Type
4. Configure Requirements (Authentication)
5. Configure the Profile
6. Name the rule
7. Repeat this process on the second system
85
When would you want to create an Authentication Exemption rule?
Some computers in a network may not be able to communicate via IPSec. Exempting these systems will allow them to communicate in Isolation networks. This does lower the overall security of the zone.
86
How do you create an Authorization Exemption rule?
1. Windows Firewall with Advanced Security
2. Right-Click "Connection Security Rules" \ New Rule
3. Select "Authenticated Exemption" for rule type
4. Add the exempt systems
5. Select the profile
6. Name the rule
87
What are the default behaviors of the Windows Firewall?
- Programs can create required rules as part of their installation
- Predefined rules built into Windows can be easily configured and deployed as a GPO
- Unsolicited inbound traffic is blocked
- Outbound traffic is allowed
88
You have an administrator who insists on not using the Windows Firewall and decides to turn off the "Windows Defender Firewall with Advanced Security" service on systems. Aside from not having a firewall, why is this course ill advised?
- Microsoft does not support disabling the Windows Defender Firewall with Advanced Security Service
- Instead, disable the firewall profiles via Policy if you do not want Windows Firewall on all systems.
89
Which version of Windows is the Windows Firewall service turned on by default?
Server 2012 and later
90
Which version of Windows support Software Defined Networking?
- Server 2012/R2
| - Server 2016
91
What role service is required to configure Software-Defined Networking?
Hyper-V
92
What are the different components available to SDN in Windows Server Hyper-V?
- Network Controller
- Hyper-V Network Virtualization (HNV)
- Hyper-V Virtual Switch
- RRAS Multi-tenant Gateawy
- NIC Teaming
93
What does Hyper-V Network Virtualization provide?
HNV helps abstract or separate applications and workloads from the underlying physical network using virtual networks.
94
What are RRAS Multi-tenant Gateways?
RRAS Multi-Tenant Gateway gives you the ability to extend network boundaries to Azure or other providers and deliver on-demand hybrid infrastructure.
95
In which version of Windows was Datacenter Firewall introduced?
Server 2016
96
What is Datacenter Firewall?
A distributed firewall solution well suited for helping protect virtual environments. It is derived from Azure and provides a stateful, multi-tenant firewall that is operating-system specific.
97
In what version of Windows was Network Controller introduced?
Server 2016
98
With Network Controller, what is the difference between a Northbound API and Southbound API?
- Soutbound API is used to communicate with network devices, services, and components. It can discover network devices and gather information about the network
- Northbound API allows for gathering information from the Network Controller and is used to monitor and configure the network. It utilizes Powershell, REST, and other management functions.
99
What is the primary difference in authentication when a Network Controller is deployed in a domain versus outside of one?
- In ADDS domains, Network Controllers use Kerberos.
| - Outside of ADDS domains, Network Controller utilizes digital certificates for authentication.
100
When configuring Network Controller what are some items that need considered?
- Network Controller requires Server 2016 Datacenter Edition
- The Network Controller management client must be installed on Windows 8/8.1 or Windows 10.
- Dynamic DNS registration must be enabled for the registration of required DNS records for the Network Controller.
- You must create the following security groups if Network Controller is joined to the domain
- - A group that holds all users who can configure network controller
- - A group that holds all users with permissions to configure and manage the network via Network Controller
- It is recommended to deploy Network Controller on Hyper-V VMs over physical hosts.
101
When deploying Network Controller, what security groups are needed?
- One that determines who manages the Network Controller
| - One to determine who can manage other network resources with Network Controller
102
When configuring Network Controller off of a domain, what must be configured?
Certificate-based Authentication
- Certificate must be created on the management client that is trusted by Network Controller
- Certificate Subject Name must match the DNS name of the system holding the Network Controller role and have the Server Authentication EKU
- The certificate's subject name should resolve to the IP of the Network Controller
- The certificate must be trusted by all REST clients, the SLB MUX, and the southbound host computers that Network Controller manages
103
What high-level steps are used to deploy Network Controller?
1. Install Network Controller Server Role
2. Configure Network Controller Cluster
3. Configure Network Controller Application
4. Validate the Network Controller Deployment
104
How would you install the Network Controller role?
- Server Manager \ Add Roles and Features \ Roles \ Network Controller
- Powershell: Install-WindowsFeature -Name NetworkController
- - NOTE: No reboot required
105
When configuring Network Controller, what steps are involved with configuring the cluster?
```
1. Create a Node Object for each computer/VM that is a member of the cluster
New-NetworkControllerNodeObject
2. Configure the Cluster
- Install-NetworkConterollerCluster
a. Configure the Network Controller Application
New-NetworkControllerNodeObject
b. Get the NCEncryption certificate
c. Create the Network Controller Cluster
d. Encrypt Traffic between the REST nodes
3. Validate Deployment
- New-NetworkControllerCredential
- Get-NetworkControllerCredential
```
106
What is Software Load Balancer?
SLB evenly distributes tenant and tenant customer network traffic among virtual resources.
Similar to NLB as it enables multiple servers to host the same workload providing high availability and scalability.
107
What is the difference between North-South Traffic and East-West Traffic?
North-South is between servers and clients
| East-West is between servers
108
What actions does Network Controller use when hosting the Software Load Balancer?
- It processes SLB commands that come through the Northbound API
- It calculates policy for distribution to Hyper-V hosts and SLB MUXs
- It provides health status of the SLB Infrastructure
109
What policies can the Network Controller use with SLB to help distribute the traffic?
- Layer 4 load balancing for North-South and East-West traffic
- Internal and External Network Traffic
- Dynamic IPs
- Health Probes
110
What is the purpose of the Network Controller Datacenter Firewall feature?
- The Datacenter Firewall allows for configuring and managing Firewall ACLs for both East-West and North-South traffic.
- It is a network layer, stateful, multi-tenant firewall.
111
Where are firewall policies for the Datacenter firewall deployed and enforced?
- Policies are deployed through Network Controller
| - Policies are enforced at the vSwitch
112
What is a Network Security Group?
NSGs allow for defining rules to segment the virtual environment into virtual subnets, supporting multithreaded environments.
NSGs also contain ACLs that allow or deny traffic from subnets or machines.
113
What protections are offered by Datacenter Firewall?
- Define firewall rules that can only help protect internet-facing workloads on their virtual networks.
- Define firewall rules that can help protect traffic between VMs on the same L2 subnet and also between VMs on different L2 subnets
- Define firewall rules that can help protect and isolate network traffic between tenant or on-prem networks and their virtual networks at the service provider.
114
What are the components of a Datacenter Firewall ACL rule?
- Name
- Five tuple set (Destination port(s), Destination IP with CIDR, Source Port(s), Source IP with CIDR, and Protocol (TCP/UDP)
- Priority (101-65000)
- Action (Allow /deny)
115
What is the Powershell cmdlet to configure a Datacenter Firewall Rule (basic)?
$RuleProperties = New-Object Microsoft.Windows.NetworkController.AclRuleProperties
Configure the following properties on the object
- Protocol
- SourcePortRange
- DestinationPortRange
- Action
- SourceAddressPrefix
- DestinationAddressPrefix
- Priority
- Type
- Logging
$AclRule = New-Object Microsoft.Windows.NetworkController.AclRule
116
With Datacenter Firewall can you apply specific ACLs to a specific interface?
Yes. This will cause ACls on the subnet and ACLs on the interface to both be applied. Network Interface ACLs will be prioritized.
117
How does Network Controller Authenticate users?
- Kerberos is used for authentication in domain environments
| - Certificates are used in non-domain environments
118
Can Network Controller be deployed on a physical host?
No. Network Controller can only be installed on a Hyper-V Guest.
119
How do you enable SDN Software Load Balancer along with Network Controller?
Install Network Controller on 3 Hyper-V VMs using the New-NetworkControllerServer cmdlet.
This enables SDN Software Load Balancing.
120
What can be managed with Network Controller?
- Hyper-V VMs and Virtual Switches
- Datacenter Firewall
- Remote Access Service Multi-tenant Gateways, Virtual - Gateways, and Gateway Protocols.
121
What are the primary features of Network Controller?
- Firewall Management
- Software Load Balancer Management
- Virtual Network Management
- RAS Gateway Management
122
Can Network Controller be backed up and restored?
This is not currently available in Server 2016.
123
How does Network Controller allow for Firewall Management?
- Network controller allows for configuring and managing allow/deny Firewall ACLs for the workload VMs for both east/west and north/south network traffic in the datacenter.
- The firewall rules are plumbed into the vSwitch so they are distributed across the datacenter.
- Using Northbound API the firewall rules can be defined for both incoming and outgoing traffic from the workload VM
- Traffic can also be logged.
124
How is Service Fabric for Network controllers the best option for Failover?
- It provides faster failover. Since each host is at least primary and secondary for one Network Controller Service, the secondary service is immediately made primary in the event of outage.
- Agility of scale. It is easy to scale the reliable services from a few instances to many and then back down based on resourcing.
125
In which scenarios is IPSec useful?
- Securing host-to-host traffic on specific paths, which can be servers, static IPs, or subnets.
- Securing traffic to servers, including restricting which computers can connect to a server.
- Use with L2TP for secure VPN connection
- Site-to-Site (Gateway to Gateway) tunneling
- Enforcing logical networks (server/domain isolation) which can logically isolate server and domain resources in a network and can be used limit access to authenticated and authorized systems.
126
In which scenarios is IPSec not recommended?
- Providing security between DCs and domain members
| - Securing all network traffic
127
Why is it not advised to use IPSec to secure traffic between DCs and Domain Members?
Encrypting traffic reduces overall network performance
128
Why is not advised to secure all network traffic with IPSec?
- The constant encryption and decryption will heavily reduce the network performance
- IPSec does not negotiate for broadcast and multicast which means some applications (e.g. ICMP) may not be compatible with IPSec.
- Network management is made very complicated.
129
What is the goal of a domain isolation policy?
Devices on the network will only accept connections from devices that are authenticated as members of the same isolated domain.
130
What is the main component of a domain isolation policy?
- Using connection security and IPSec rules to configure devices in the isolated domain to only accept network traffic from other devices that authenticate as members of the isolated domain.
- Devices will reject unsolicited network traffic from devices that are not members of this domain.
131
How would you provide a logical barrier between devices in a isolation domain and other devices on the same network segment?
Connection Security Rules
132
What are the characteristics of a Isolated Domain Design?
- Isolated Domain - Devices are isolated and reject inbound unsolicited traffic except when it is from members of the same isolation zone or devices listed as authentication exceptions.
- Boundary Zone - Devices are part of the isolation zone but receive inbound connections from untrusted systems. Typically these do not require authentication to communicate. Requires careful management and security.
- Trusted Non-Domain Members - No domain members. Cannot use IPSec authentication. They are allowed to communicate via authentication exemption rules.
- Untrusted Non-Domain Members - Devices that have unknown security configurations but may need to be communicated with due to business reasons. Isolation helps put a logical barrier between the domain and these devices.
133
Can members of an isolation domain send outbound traffic to outside of the isolation domain?
Yes. They can communicate with any device, even unauthenticated traffic.
134
If a system cannot be domain-joined can it be part of an isolation domain?
Yes. You will need to configure certificate-based isolation policy design.
135
Where are IPSec GPOs located?
GPMC: Computer Configuration \ Policies \ Windows Settings \ Security Settings \ IP Security Policy on Active Directory
- NOTE: IPSec GPOs should not be confused with Connection Security Rules.
