3.3 Flashcards
Load balancing
Distributes load of networks esp for large scale implementations and has faults tolerance in cause one fails
Can configure across multiple servers uses tcp offload (protocol overhead) and ssl offload (encrypt/defrypt) and caching (fast response) prioritization and content switching
Can use round robin form each person sent to consecutive networks
Weighted or dynamic round robin
Check if affinity or likeness is occurs where the same user is distributed to same network using same ip and port numbers
Network segmentation
Physically switch a and switch b like an airgap needs a cable or router firewall
Logical Vlans, can separate within one switch,, still needs cable within separate vlans
Can set up with performance, compliance or security in mind
A dmz connects to firewall and connects to screened subnet and not inside of network
Extranet for vendors and partners, has additional authentication process
Intranet only accessible from inside has announcements and company docs
East-west traffic for thousands of connections inside server
North south is incoming and outgoing
Vpn
Sending encryption and decryption between network and internet
Uses a concentrator with the client software includes remote access network (access inside from outside) such as ssl tcp/443) or html5 which supports api
Ipsec
Internet protocol security for anti reply , hi encryptions and multi vendor implementation
Can use transport mode header is sent and things in middle are encrypted
Can use tunnel mode, tunnel is header and data is encrypted with a new header this is most common
Can use esp( encapsulation security payload) uses sha2 for integrit checks
Port security
Physical switches and connections
Can limits traffic and remove unwanted traffic
Challenges are broadcasts that everyone gets on network can use broadcast storm control to limit broadcasts eap malicious
Another challenge is loop protection, connection two switches ro each other but the standard 802.1d can use spanning tree tool that connects to only non blocked port. If some outage occurs it will adapt and change paths u blocking and reblocking until outage is fixed called
Bpdu guard, bridge protocal data unit,
Dhcp snooping
Has a dhcp switch with trust abd untrusted tech watching all traffic and blocking untrusted devices
Mac filtering
Media access control that disallows traffic for all devices or limits a certain mac address
Domain name resolution
Dns has no sec but dnssec is an extension to validate dns responses and check origin authenticity and data integrity
Out of band management
Serial port that allow us to connect around network
Ipv6
Better security and configuration setting so no need for Nat thus simplifying the process removes arp and arp snooping
Taps and port mirrors
Tap Recieves acop of all info it sits in
Fim
File integrity monitoring monitors files that dont change like Os
Tripwire linux
Stateless vs stateful
Needs multiple rules for stateless
Needs one rule for both directions in stateful
Utm vs ngfw
Unified treat managmenet decve
Firewall but also url filter, malware inspection, spam filter, csu/dsu, router/switch, ids/ips functionality, bandwidth shaping, vpn endpoint
Next gen firewalls sees all data packets, evaluates all traffic and sees which apps are in use and doesnt need ip addresses, They are network connected, includes ILS, url filters/categorization of urls
Waf
Web app firewall that blocks inputs in webapp
