Secure network designs Flashcards
What is another function of a load balancer other than just…. balancing the load?
TCP/SSL offload.
You can offset some of the protocol/encryption overheard by having the load balancer deal
In load balancing, what is round-robin?
Round robin is a method of load balancing in which the load is distributed completely evenly across all servers by sending each request to a different server in order. Request 1-->server 1 Request 2-->server 2 Request 3-->server 3 Request 4-->server 1 Request 5-->server 2
There is also such a thing as a “Weighted round-robin” where certain servers are prioritized over others, example: half of the requests will go to server 1, the other half will be distributed between servers 2-5.
“Dynamic round-robin” also exists, which is monitoring the server load and always giving traffic to the server which currently has the lowest use.
What is active/active load balancing?
All servers are active at the same time.
If one server fails, another will take over its load.
In load balancing what is affinity/sticky session/session persistence?
This is a way of ensuring that each user is stuck to the same server in load balancing scenarios. Typically tracked through IP address or session IDs
Many applications require communication to the same instance.
What is active/passive load balancing?
This is when certain servers are active, and others are on standby.
If one of the active servers goes down or stops functioning, one of the standby servers will activate and start taking on the load in place of the downed server.
What are the 3 types of network segmentation?
Physical, logical, and virtual.
What is physical segmentation?
This is also called an air gap.
This is where devices are physically seperate.
Like an air gap between Switch A and Switch B.
Two devices have no connection to each other physically.
What is logical segmentation?
Logical segmentation is almost always associated with VLANs.
This is a way of logically splitting up a switch to support two different networks, where they can not communicate with each other without a layer 3 device/router.
Basically splitting up a device and doing a segmentation on one device instead of creating an air gap.
What is a screened subnet?
THINK DMZ(demilitarized zone), they don't call it that anymore. This is an additional subnet hidden behind a firewall to separate a more sensitive network(probably your company's internal corporate network) from a public facing service that users are connecting to from the outside internet. All of the traffic coming from the external internet will be forwarded to the "screened subnet" rather than your internal network.
What is an extranet?
This is a seperate network set up for vendors, suppliers, and other partners that need access to your internal resources.
Unlike a screened subnet an extranet typically requires additional authentication.
You would typically get a login screen or something when trying to access an extranet from the internet, and if you authenticated, then you would be granted access to the extranet.
Similar to a screened subnet, they are split up by a firewall.
What is an intranet?
Intranets are only accessible from inside the network.
This has no external access, you can only get in internally or through a VPN.
Typically houses work related documents needed for an organization.
What is the difference between east-west traffic and north-south traffic?
This is almost exclusively referring to traffic flowing inside of a data center.
East-west traffic is going between devices in the same data center and is able to achieve relatively fast response times.
North-south traffic is either inbound or outbound from our data center and typically will have different security policies associated with it.
What is a VPN?
Really explain
A VPN is a way to send data securely through an area that would normally be considered public without anyone in the middle being able to understand anything that is being said.
An encrypted tunnel.
What is a concentrator in regards to VPNs?
When you connect to your corporate network using their vpn, you will be connecting to this device and it will middleman your conversations.
This is the device doing the heavy lifting with regards to VPNs.
This device handles all of the encrypting and sending out data, and decrypting anything that it happens to receive.
Often a standalone device or built into a firewall. There are also software based options available (nordvpn, etc)
These are almost always used though with some kind of client software for making it all happen, sometimes there can be something built into your OS for handling vpn connections.
What is an SSL VPN?
A VPN that uses SSL/TLS, and communicates on tcp port 443 (think https(http secure, HTTPS, SSL/TLS, get it?)
You don’t need any big vpn clients, it is able to authenticate users with no requirement for digital certificates, and can be run from a browser or from a (usually light) VPN client.
What is an HTML5 VPN?
This is a VPN that takes advantage of the recent upgrade to HTML to version 5.
HTML5 supports APIs and it comes built in with a web cryptography API, which makes you able to create an encrypted VPN tunnel without the need for a separate VPN application, and can instead do it completely from your browser using HTML. Nothing to install.
You do need to make sure you have a browser that can support HTML5.
What is the difference between a full tunnel and a split tunnel VPN?
A full tunnel VPN configuration makes each and every connection middleman through the VPN concentrator, even those not to the corporate network(or whatever the concentrator is attached to). For example if you wanted to go to google.com while connected to the vpn, it would have to be sent all the way to the vpn concentrator, and then to google.com, and then back to you.
A split tunnel VPN allows you to make your own connections on the side, while still encrypting all traffic to the network of the VPN concentrator(likely your corporate network).
What is a site-to-site VPN?
Think of a linking where a corporate network is connects to a remote site, with a VPN concentrator on both sides.
Effectively makes it so that a VPN connection can go both ways, with a concentrator on both sides.
VPN concentrators can be built into a firewall, this sort of setup will typically be using firewalls because both sites will probably already have one.
What is L2TP?
Layer 2 tunneling protocol.
This is a way of connecting together two networks which need to use a layer 3(IP) network (due to probably distance) as if they were connected at layer 2.
Typically implemented with IPsec:
L2TP for the tunnel, IPsec for the encryption
Sometimes called L2TP over IPsec(L2TP/IPsec)
What is IPsec?
IPsec is security for OSI layer 3.
Allows you to have authentication and encryption over a layer 3 network.
Authentication and encryption for every packet.
Provides confidentiality and itegrity(packet signing)
There are two major protocols you will use with IPsec:
AH(authentication header)
ESP(encapsulation security payload)
When using IPsec what are the differences between transport mode and tunnel mode?
When using Transport mode everything is encrypted in an IPsec packet EXCEPT that you will use an unencrypted IP header so that it knows where to go. This part will be sent in the clear.
When using Tunnel mode every part of the packet is encrypted in the packet, including the IP header which will be sent to the IPsec concentrator on the other side of the tunnel.
In IPsec what is an Authentication Header ( AH )
This is what you would use if your only concern with your packets in IPsec were the integrity of the data.
This contains the hash of the packet and a shared key that is shared between the two IPsec concentrators.
This doesn’t provide any encryption.
But it will provide integrity and authentication though, as well as prevent replay attacks (because sequence numbers are included as a part of this communication)
In IPsec what is ESP (encapsulation security payload)
This encrypts and authenticates the tunneled data found in IPsec packets.
All that is included is the encryption(using AES) and an integrity check value to ensure the data went through the network without any corruption.
Typically you would want to combine this with AH though in most implementations of IPsec so that you can also get integrity and authentication to make sure that the data gets through the network without anyone changing any of the data.
What is BPDU guard?
When a device first connects to a spanning tree network, it takes some time to map out the network and make sure there won’t be any loops, even if what you are plugging in is not a switch.
You can go in and configure a switch to not take this step(portfast) for new devices plugged into it, but this leaves you unprotected if someone were to go up and plug in a switch, and if that happened a loop would happen.
BPDU is the solution for this. With BPDU guard, the switch is constantly watching traffic coming from these interfaces, and if an interface ever sends a BPDU frame, then it recognizes that there could be a switch on the other side of this communication and that portfast would no longer apply. Then it would disable that interface before there was an opportunity for a loop to occur.
