3.3

Question 1

Load balancing

Answer 1

Devices that move loads across multiple resources in an attempt not to overload one resource or device to start bottlenecking or throttling. Best for stateless systems.

Question 2

Active/Active Load Balancing

Answer 2

All load balancers are active. If one of the active balancers fail then session interruption will surely occur since there is no backup balancer to take over.

Question 3

Active/Passive Load Balancer

Answer 3

Needed in high availability solutions. One balancer will take all of the load and will work while there is a passive one that observes and will step in if the primary one fails.

Question 4

Scheduling

Answer 4

There is a scheduling procedure for load balancers to decide which machine gets a request.

Two commonly used algorithms: affinity-based scheduling and round-robin scheduling.

Question 5

Round Robin Scheduling (Load Balancing)

Answer 5

Round-robin involves sending new requests to the next server in the rotation. All requests are sent in equal amounts, regardless of the server load.
Weighted round-robin will take the server load or other criteria into considerations when assigning the next server.

Question 6

Virtual IP

Answer 6

Load balancers use virtual IPs that allow for multiple systems to be reflected back as a single IP address.

Question 7

Persistence (Load Balancing)

Answer 7

It is the condition where the system connects to the same target in a load-balanced system. Persistence is achieved through affinity-based load-balancing.

Question 8

Affinity-based scheduling

Answer 8

Designed to keep a host connected to the same server across a session. Applications can benefit from this method.

Question 9

Network Segmentation

Answer 9

It is a configuration for devices that allow access to certain portions of a network. This is good for, let’s say, a screened subnet or a DMZ where the internet and the intranet have access to this server but can’t be crossed directly. Usually meaning that the internet can’t cross a DMZ to get into the intranet.

Question 10

Virtual Local Area Network (VLAN)

Answer 10

A VLAN allows for computers on different physical networks to act and communicate as if they were on the same network. This allows network flexibility, scalability, and performance and allows for Admins to perform network reconfigurations without having to physically relocate or re-cable systems.

Question 11

Screened Subnet (Previously Known as Demilitarized Zone)

Answer 11

It is a screened subnet that is the buffer zone between the untrusted internet and the internal network of an organization. There are firewalls on each side that is used to stop anomalous traffic from the internet into the internal network and vice versa.

Question 12

East-West Traffic

Answer 12

Data flow between devices within a portion of the enterprise.

Question 13

Extranet

Answer 13

It is a semi-private network that uses common network services to share info and provide resources to business partners. It’s like the ability to share information between multiple organizations.

Question 14

Intranet

Answer 14

It is a network that has the same functionality as the internet, but lies completely inside of the trusted area of a network and is under the security control of the system and network admins. Content on intranets are not available to the internet.

Question 15

Zero Trust

Answer 15

Security model based on the belief that you shouldn’t trust any request without verifying authentication and authorization.

Question 16

Virtual Private Network (VPN)

Answer 16

VPNs work to tunnel data between two connections. Any data from a VPN that is intercepted by an attacker cannot be read.

Question 17

Always-on VPN

Answer 17

These are VPNs that don’t require additional user involvement and will automatically activate once an internet connection is sensed.

Question 18

Split Tunnel vs. Full Tunnel

Answer 18

Split tunnel VPN is where some traffic is sent over VPN and other traffic is not. This can prevent bottlenecking.

Full- tunnel VPN is where all traffic is sent over VPN.

Question 19

Remote Access vs. Site-to-Site

Answer 19

Site-to-Site communication links two network connection across an intermediary network layer. Site-to-internet-to-site. To secure traffic, a VPN or tunnel is needed.

Remote access via a VPN is bad because it’s like you’re letting a person connect directly to your machine and have free reign.

Question 20

SSL/TLS

Answer 20

This protocol uses a public key encryption to exchange a symmetric key for use in confidentiality and integrity protection as well as authentication.

Question 21

HTML5

Answer 21

Current version of HTML protocol. You don’t need as many plug-ins in order to make full use of HTML5. One of the enhancements is better compatibility of a VPN implementing a secure HTML5-based remote access solution.

Question 22

Layer 2 Tunneling Protocol (L2TP)

Answer 22

L2TP is a tunneling protocol used to support VPNs. it is an extension of PPTP and L2TP can be used across all kinds of networks. L2TP in routers can concentrate VPN traffic over higher-bandwidth lines, create a hierarchy network to effectively manage across an enterprise. L2TP can also use IPSec and encryption tools.

Question 23

Network Access Control (NAC)

Answer 23

NAC is used to manage the endpoints on a case-by-case basis as they connect to the network.

Question 24

Agent and Agentless

Answer 24

Agent: Code is stored on the host machine for activation and use at time of connection.

Agentless: The code resides on the network and is stored in memory for machines that are requesting connections, but since it never persists on a host a machine, it is agentless.

Question 25

Out-of-Band Management

Answer 25

Out-of-Band Management channels are physically separate connections that permit active management even if the data channel is blocked.

Question 26

Port Security

Answer 26

Port security is the capability from switches that allow you to control which devices and how many of them can connect via each port on a switch. It has three variants: static, sticky, and dynamic learning.

Question 27

Broadcast Storm Prevention

Answer 27

A flood guard can manage the traffic rate and percentage of bandwidth occupied by broadcast, multicast, and unicast traffic. Thus, it can prevent different floods that cause DoS attacks.

Question 28

Bridge Protocol Data Unit (BPDU) Guard

Answer 28

These guards help to stop attackers from sending a lot of BPDU packets that are resource-heavy and can cause a DoS attack.

Question 29

Loop Prevention

Answer 29

packets can get caught in a loop or never resolve in layer 2 because there is no countdown mechanism that drops these after a certain point. To remedy this, spanning tree protocol was created to break loops to ensure proper broadcast.

Question 30

Dynamic Host Configuration Protocol (DHCP) Snooping

Answer 30

DHCP snooping is a defensive measure that attempts to prevent malicious DHCP servers from establishing contact by examining DHCP responses at the switch level and not sending those from unauthorized DHCP servers.

Question 31

Media Access Control (MAC) Filtering

Answer 31

Mac Filtering is the filtering packets based on a list of approved MAC addresses. It provides machine authentication. On wireless networks, attackers can spoof MAC addresses and bypass this feature.

Question 32

Network Appliances

Answer 32

Network appliances provide services across a network.

Question 33

Jump Server

Answer 33

A jump server is a hardened system on a network that accesses devices in a separate zone. Jump servers are hardened systems often used to protect and provide a means to access resources in a screened subnet, for example.

Question 34

Proxy Server

Answer 34

A proxy server can be used to filter out undesirable traffic and prevent employees from accessing potentially hostile websites. They provide security by filtering outbound requests.

Question 35

A Forward Proxy

Answer 35

A forward proxy operates to forward requests to servers based on a variety of parameters, as described in the other portions of this section.
Forward proxies can be used to bypass firewall restrictions, act as a cache server, and change your IP address (more useful before widespread adoption of NAT).
Attackers can use forward proxies to cause a man-in-the-middle attacks.

Question 36

A Reverse Proxy

Answer 36

This is typically installed on the server side of a network connection, often in front of a group of web servers, and intercepts all incoming web requests.
Reverse proxy can have traffic filtering, Secure Sockets Layer(SSL)/Transport Layer Security (TLS) decryption, serving of common static content such as graphics, and performing load balancing.

Question 37

Signature-based IDS

Answer 37

The IDS has to know what the known “bad” ahead of time before it can identify and act upon suspicious or malicious traffic.

Signature-based work on matching signatures in the network traffic stream to defined patterns stored in the system. These rely on accurate signatures and lack of scalability.

Question 38

Heuristic/Behavior-based IDS

Answer 38

Uses AI to detect intrusions and malicious traffic. It needs a baseline or collected set of “normal behavior” in order to detect anything that seems out of the ordinary.

Question 39

Anomaly-based IDS

Answer 39

An anomaly is a deviation from an expected pattern or behavior. Specific anomalies can also be defined, such as Linux commands sent to Windows-based systems and implemented via an AI-based engine to expand the utility of specific definitions.

Question 40

In-line vs Passive

Answer 40

An in-band NIDS/NIPS is an inline sensor coupled to a NIDS/NIPS that makes its decisions “in band” and enacts changes via the sensor. This has the advantage of high security, but it also has implications related to traffic levels and traffic complexity. In-band solutions work great for protecting network segments that have high-value systems and a limited number of traffic types, such as in front of a set of database servers with serious corporate data, where the only types of access would be via database connections.
vs
An out-of-band system relies on a passive sensor, or set of passive sensors, and has the advantage of greater flexibility in detection across a wider range of traffic types. The disadvantage is the delay in reacting to the positive findings, as the traffic has already passed to the end host.

Question 41

HSM

Answer 41

A hardware security module (HSM) is a device used to manage or store encryption keys. It can also assist in cryptographic operations such as encryption, hashing, or the application of digital signatures.

Storing private keys anywhere on a networked system is a recipe for loss. HSMs are designed to allow the use of the key without exposing it to the wide range of host-based threats.

Question 42

Sensors

Answer 42

Network-based sensors can provide coverage across multiple machines, but are limited by traffic engineering to systems that packets pass them. They may have issues with encrypted traffic because if the packet is encrypted and they cannot read it, they are unable to act upon it. On the other hand, network-based sensors have limited knowledge of what hosts they see are doing, so the sensor analysis is limited in their ability to make precise decisions on the content.

Host-based sensors provide more specific and accurate information in relation to what the host machine is seeing and doing, but they are limited to just that host.

Question 43

Collectors

Answer 43

Collectors are sensors, or concentrators that combine multiple sensors, that collect data for processing by other systems. Collectors are subject to the same placement rules and limitations as sensors.

Question 44

Aggregators

Answer 44

An aggregator is a device that takes multiple inputs and combines them to a single output.

Question 45

Firewall

Answer 45

A firewall can be hardware, software, or a combination of both whose purpose is to enforce a set of network security policies across network connections. It is much like a wall with a window: the wall serves to keep things out, except those permitted through the window.

Question 46

Web Application Firewall (WAF)

Answer 46

A web application firewall (WAF) is a device that performs restrictions based on rules associated with HTTP/HTTPS traffic. By definition, web application firewalls are a form of content filter, and their various configurations allow them to provide significant capabilities and protections.

WAFs can detect and block disclosure of critical data, such as account numbers, credit card numbers, and so on. WAFs can also be used to protect websites from common attack vectors such as cross-site scripting, fuzzing, and buffer overflow attacks.

Question 47

NGFW

Answer 47

Next-generation firewalls can keep track of the state associated with a communication, and they can filter based on behaviors that are not properly associated with the state of the communication.

Question 48

stateful Firewall

Answer 48

A stateful packet inspection firewall can act upon the state condition of a conversation—is this a new conversation or a continuation of a conversation, and did it originate inside or outside the firewall? This provides greater capability, but at a processing cost that has scalability implications.

Stateful means that the firewall maintains, or knows, the context of a conversation. A disadvantage of stateful monitoring is that it takes significant resources and processing to perform this type of monitoring, and this reduces efficiency and requires more robust and expensive hardware.

Question 49

Stateless

Answer 49

The typical network firewall operates on IP addresses and ports, in essence a stateless interaction with the traffic. The most basic firewalls simply shut off either ports or IP addresses, dropping those packets upon arrival. While useful, they are limited in their abilities as many services can have differing IP addresses, and maintaining the list of allowed IP addresses is time consuming and, in many cases, not practical.

Easier for systems that don’t require a lot of services from other servers.

Question 50

Unified threat management (UTM)

Answer 50

UTM devices typically provide a wide range of services, including switching, firewall, IDS/IPS, anti-malware, anti-spam, content filtering, and traffic shaping. These devices are designed to simplify security administration and are targeted for small and midsized networks.

Question 51

Network Address Translation (NAT) Gateway

Answer 51

To compensate for this lack of available IP address space, organizations use Network Address Translation (NAT), which translates private (nonroutable) IP addresses into public (routable) IP addresses.

Question 52

Content/URL Filter

Answer 52

Content/URL filters are used to limit specific types of content across the Web to users. A common use is to block sites that are not work related such as Facebook and online games. Content filters can also examine the actual content being returned to a browser, looking for a list of restricted terms or items and blocking not based on URL but on returned content.

Question 53

Appliance vs. Host Based vs. Virtual

Answer 53

In software-defined networking (SDN) networks, firewalls can be instantiated as virtual network functions, providing all of the features under a virtual software solution.

Firewalls can also be instantiated via an appliance, acting as a network segregation device, separating portions of a network based on firewall rules.

Question 54

Route Security

Answer 54

The protocols used to connect the various networks range from simple, like the Internet Protocol (IP), to more complex, such as BGP, IS-IS, OSPF, EIGRP, and RIPv2. Maintaining route security is part of the function of each of these protocols, and each serves to fulfill a specific needed functionality in connecting networks.

Question 55

Implications of IPv6

Answer 55

IPv6 has many implications for secure network designs—some good, some problematic. IPv6 enables end-to-end encryption, which is great for communication security but bad for network monitoring. IPv6 uses the Secure Neighbor Discovery (SEND) protocol, which alleviates ARP poisoning attacks.

Question 56

Port Taps

Answer 56

Port taps, when placed between sending and receiving devices, can be used to carry out man-in-the-middle attacks. Thus, when placed by an unauthorized party, they can be a security risk.

Question 57

Monitoring Services

Answer 57

Network security monitoring (NSM) is the process of collecting and analyzing network data to detect unauthorized activity.

Question 58

File Integrity Monitors

Answer 58

Whenever you download a file from an online source, even if from the vendor of the file, you should perform a file integrity check to ensure that the file has not been tampered with in any fashion. This will alert you to a changed binary, even if the hosting agent of the file doesn’t know about the specific issue. File integrity checks operate by taking a hash of the file and comparing this value to an offline store of correct values. If the hashes match, then the file is unaltered.