3.3 Implement Secure Network Designs

Question 1

Previously known as the DMZ, and allows public access to resources without access to internal network.

Answer 1

Screened subnet

Question 2

A private network for partners like vendors and suppliers

Answer 2

Extranet

Question 3

Holistic approach to network security that involves ensuring all devices, processes, and people are verified/nothing is trusted.

Answer 3

Zero trust

Question 4

VPN that uses TLS protocols and doesn’t require a VPN client. Usually ran from a browser.

Answer 4

SSL VPN

Question 5

VPN that provides on-demand access. Software connects to a VPN concentrator via a tunnel.

Answer 5

Remote access VPN

Question 6

VPN type: traffic is encrypted through local concentrator and decrypted on the concentrator on the other side of the tunnel. Generally from firewall/concentrator to firewall/concentrator.

Answer 6

Site-to-site VPN

Question 7

VPN type: Remote user connects to a VPN concentrator and all traffic must pass through the concentrator before being sent out to 3rd party sites.

Answer 7

Full tunnel

Question 8

What is it called when a load balancer provides a preference connection to a specific server based off of a session ID?

Answer 8

Affinity

Question 9

What major support is provided by HTML5 that allows use of SSL VPNs without installing a client?

Answer 9

API support

Question 10

VPN type: Administrator can determine which traffic is allowed through the tunnel and what traffic can be transmitted over the public internet.

Answer 10

Split tunnel

Question 11

Protocol used to connect sites over IP as if they were connected over layer 2. Commonly implemented with IPSec

Answer 11

Layer 2 tunneling protocol (L2TP)

Question 12

What two main security features does IPSec provide?

Answer 12

encryption

packet signing (anti-replay)

Question 13

What are the two main IPSec protocols?

Answer 13

Authentication Header (AH)

Encapsulation Security Payload (ESP)

Question 14

What portion of a packet remains in the clear when sending IP packets via transport mode?

Answer 14

IP Header

Question 15

True or false: When sending IP packets via tunnel mode, the IP Header is not encrypted.

Answer 15

False

Question 16

An authentication header does not provide encryption, but rather what aspect of the data? (By using a hash and shared key)

Answer 16

Integrity

Question 17

True or false: ESP provides authentication as well as encryption of IP packets?

Answer 17

True

Question 18

What device can be used to control broadcast messages to prevent broadcast storms?

Answer 18

Switches

Question 19

What standard was developed to prevent loops?

Answer 19

Spanning tree protocol (802.1D)

Question 20

Process of a switch adding untrusted DHCP devices to a untrusted list.

Answer 20

DHCP Snooping

Question 21

Adds ability to authenticate responses when it comes to domain requests.

Answer 21

DNSSec

Question 22

What is it called when a DNS server redirects a user to a safe location when they are attempting to access a known malicious address?

Answer 22

DNS sinkhole

Question 23

What is a console router or comm server?

Answer 23

A centralized router that can connect you to all other network devices on the network

Question 24

What unique challenge is faced when it comes to security with IPv6?

Answer 24

difficult to IP/port scan

Question 25

A physical device that can be placed in the middle of a network transmission in order to capture traffic transmitted between the two devices.

Answer 25

Tap

Port mirror (software based)

Question 26

A location staffed with cybersecurity experts who are constantly monitoring for security risks and vulnerabilities.

Answer 26

Security operations Center (SoC)

Question 27

Monitoring that verifies files and alerts you when changes are made.

Answer 27

File integrity monitoring (FIM)

Question 28

Firewall that does not keep track of traffic flows.

Answer 28

Stateless firewall

Question 29

A device that includes a firewall along with many other features such as URL filtering, malware inspection, spam filters, routing, IDS/IPS, etc.

Answer 29

unified threat management (UTM) device

Question 30

A firewall that can evaluate all traffic at all layers of the OSI model.

Answer 30

Next generation firewall (NGFW)

Question 31

A firewall build specifically for applications using HTTP/HTTPS traffic.

Answer 31

Web application firewall (WAF)

Question 32

Used on many high-end websites, and are a requirement for websites that take credit card payment info through PCI DSS compliance.

Answer 32

WAF (web application firewall)

Question 33

How does edge control and access control vary?

Answer 33

Access control involves control from anywhere on the network, not just on the edge

Question 34

An assessment performed when a device is brought onto a network via BYOD policies.

Answer 34

Posture assessment

Question 35

Device that sits between users and the rest of the network.

Answer 35

Proxy server

Question 36

Type of proxy used to control internal access to the internet.

Answer 36

Forward proxy

Question 37

A proxy used to direct external traffic towards internal resources.

Answer 37

Reverse proxy

Question 38

IPS monitoring that logs and analyzes traffic, but cannot block malicious traffic.

Answer 38

Passive monitoring

Question 39

IPS monitoring that captures and analyzes packets before the traffic is able to reach the endpoint.

Answer 39

Inline monitoring

Question 40

What are the main ways for an IPS to identify malicious traffic?

Answer 40

Signature

Anomaly

Behavior

Heuristics (AI and big data)

Question 41

A server that allows you to make connections to various internal devices from the outside via a secure tunnel.

Answer 41

Jump server

Question 42

Device used to control your crypto keys and manages cryptography across entire organization.

Answer 42

Hardware security module (HSM)