3.2 Given a scenario, implement secure network architecture concepts. Flashcards
A company has two offices geographically separated. Employees can access both networks whenever they need to, using two virtual private network servers acting as gateways. Which of the following does this capability represent? (Choose more than one)
Always on
Site-to-site
A site to site Virtual Private Network (VPN) connects multiple networks versus one. Remote users can access both locations as if they were onsite without noticing the location separation.
Split tunnel is means of encrypting connection on demand for VPN’s. It will only encrypt outbound traffic to private IP addresses.
Always on VPNs allow for a continued connection between the geographically separated servers and the employee.
Unified threat management (UTM) combines multiple security controls to provide a more robust security strategy and minimize the management of these devices.
A company requires a method of managing the network through a control layer separate from the data layer. The company would like to reconfigure the network by making changes from executable files, instead of physically reconfiguring. Which of the following should the company implement?
SDN
A Software Defined Network (SDN) separates data and control planes in a network. It uses virtualization to route traffic to its intended destination, instead of using proprietary hardware.
A Virtual Private Network (VPN) extends a private network across a public network. It allows users to send and receive data from an internal network across a public network.
The Trusted Platform Module (TPM) is a hardware-based encryption solution that is embedded in the system and provides secure key storage for full disk encryption.
A Hardware Security Module (HSM) is a device used to generate, maintain and store cryptographic keys. It can be an external device and can easily be added to a system. The HSM will maintain the integrity of the key.
A system administrator implements a web server that both the internal employees and external vendors can access. What type of topology should the administrator implement?
DMZ
The Demilitarized Zone (DMZ) is between the two firewalls providing a layer of protection for the internet facing servers. It is an area of a network that is designed for public and company use. The DMZ is a buffer network between the public untrusted Internet and the private trusted LAN.
An Ad Hoc zone is created when two or more wireless devices connect to one another creating an on-demand network.
A guest network is a wireless network used to provide non-employees or guests with internet access. This access is limited to certain functions, such as internet surfing and email.
The wireless topology is used to extend a wired local area network through the use of an antenna.
A company would like to provide internet capabilities in the lobby of the office for customers. The service must be separate from the internal network and limit what they can access. What is the best network architecture solution?
Guest
A guest network is a wireless network used to provide non-employees or guests with internet access. This access is limited to certain functions, such as internet surfing and email. An Access Point (AP) is required.
An ad hoc zone is created when two or more wireless devices connect to one another, creating an on-demand network. This network architecture does not require an AP.
The wireless topology is used to extend a wired local area network through the use of an antenna. Wireless capabilities allow employees to stay connected anywhere they are in a certain area versus sitting at their desk. A full blown wireless zone would give guests too much access.
An extranet connects external users to internal resources.
Which appliance ensures only specific types of authorized traffic passes in and out of the host based on the rule in an Access Control List (ACL)?
Firewall
A system administrator needs to hide internal resource private IP addresses from the internet to protect from exploitation. What can the administrator apply to the network to complete this action?
Apply NAT to the Internet facing firewall
Network Addressing Protocol (NAT) translates public IP addresses to private and vice versa. By using the NAT protocol on the firewall, a company can hide assets from the public internet.
A proxy acts on behalf of another service. A proxy examines the data and makes rule-based decisions about whether the request should be forwarded or refused. It will not hide IP addresses.
URL filtering allows you to control access to websites by permitting or denying access to specific websites based on information contained in an URL list.
A Distributed Denial of Service (DDoS) mitigator is a tool used to decrease or deny DDoS attacks on networks.
A security engineer is using several virtual servers accessible from the company network to lure in potential attackers. What has the security engineer created?
Honeynet
A honeynet is a group of honeypots that mimic the functionality of a network. Once the honeynet has been penetrated by the attacker, administrators can observe the actions and gather information on the event.
A honeypot is a server that is intentionally left open or available, so that an attacker will be drawn to it versus a live network.
A mantrap is a physical security control designed to control access to secure areas. Mantraps provide the capability to lock a single person in an area if needed.
Biometrics is the practice of using an individual’s physical characteristics to authenticate and provide or deny access to a facility or system. It is considered “something you are.”
