3.3 Secure Network Design Flashcards
Load balancing
Spreads network loads across a set of resources.
Used for websites, high bandwidth files, IRC (Internet Relay Chat)
Active/Active
Two servers working together to distribute the load.
Active/Passive
One server active and the second server or more is just observing ready to take over if the primary server fails.
Scheduling
A algorithm decides which machine receives the load.
Types of scheduling:
Affinity-based & Round-Robin
Affinity-Based Scheduling
Keeps the host connected to the same server for the entire session.
Directs all load balancing back to the same server.
Round-Robin Scheduling
Sends request to a new server each time, dose not matter how big the request is.
Virtual IP
Server creates virtual IPs to give to the end users so the request data from that server.
Persistence
Uses Affinity Scheduling, connects to the same target(server) in a load balancing system.
Network Segmentation
Separates servers or network devices off the Internet.
VLAN
Virtual Local Area Network
A LAN set of devices that are connected to a switch.
A VLAN is the same thing but is ran by software.
A trunk is used to send packets to other VLAN for communication.
Screened Subnet
Buffer zone between Untrusted network (Internet) and Trusted Network. Accomplished by placing Hardening devices between the two.
East-West Traffic
Data that flows through a enterprise
North-South Traffic
Data that flows outside the the enterprise.
Extranet
It is semi private network that allows users to request information from the Internet but masks the IP address by using a VPN.
Intranet
Private Network that only allows downloaded data to be shared across its network.
It can get information from the internet by using a proxy server and a cache server to slow down request for that same thing.
Proxy sever also stop inappropriate content from being shared.
Zero Trust
Security Model that doesn’t allow you to trust anyone without validating ID
VPN
Virtual Private Network
Protocols that allow packets to be sent across a unsecured network.
VPNs work because only the endpoints can decrypt the message.
Protocols: SSH, IPSec, L2TP, SSL/TLS
Always On
When a VPN senses a internet connection its auto-mantically turns on
Split tunnel vs. full tunnel
Splitting Traffic from a VPN. Increases speed but some packets are insecure.
Full gives full protection over the network
Site-to-Site
Encrypting traffic when connecting to a intermediary (public Internet)
Remote
Allows connection to a specific network.
IPSec
Protocol on how packets are sent two ways.
Transport mode encrypts the data being sent.
Tunnel Mode encrypts the destination.
Security Association combines both.
SSL/TLS
Transport Layer across the Web
HTML5
Current version of HTML. Used to develop web page content.
Newer version can connects to a VPN and can connect to more devices such as mobile.
L2TP
Layer 2 Tunnel Protocol
DNS
DNSSEC is a DNS protocol that validates the DNS.
NAC
Network Access Control
A methodology that manages end-point devices.
Used to control who connects to the network.
NAC Agent
NAC is installed on the host device itself
NAC Agentless
NAC Agentless code that is stored within the memory.
Out-of-Band Management
In-band Managements- a system that is directly connected to the physical data flow.
Out-band Management - a system that is separate from the neatwork itself in case a physical connection is not available.
Port Security
controls the devices that is connected to your switch through MAC.
Port Security types
Static Learning- Assigned Device connects to a switch MAC is stored.
Dynamic Learning- MAC is stored as they connect.
Sticky Learning- Multiple MACs are connected to a single port switch.
Flood Guards
Monitors Traffic and drops connection when there is too much traffic
BPDU
Bridge Protocol Data Unit
Blocks BPDU packets to stop a DOS Attack.
Loop Prevention
DHCP Snooping
Prevents malicious DHCP servers from connecting to good DHCP servers on the switch level.
MAC filtering
allows you to block traffic coming from certain known machines or devices
Jump Servers
Connect to a jump host before connecting a protected network.
Basically using a middle man connection to connect to the important stuff
Proxy Servers
Servers that stop users from accessing bad websites
Types of Proxy Server
Forward proxy- protects the client
Reverse- Protects the server.
NIDS
Network Intrusion Detection System
Detects and logs unauthorized network activity.
NIPS
Network Intrusion Prevention System
Same as NIDS but takes action.
NIPS (IDS way of identifying)
Signature-based- pre downloaded signatures that the IDS looks for.
Heuristic/Behavior- Uses AI or pre assigned rules t identify IDS.
Anomaly- deviation from any normal behavior.
NIPS/NIDS In-Band/Out-band Passive
In-Band- a sensor that looks for malicious traffic on a network.
Out-band- Looks for things on wider spectrum.
HSM
Hardware Security Module- a DEVICE that allows you to store encryption keys.
Used to keep passwords off a network
ACL
Access Control List-
List of host that can make configurations to the network
Routing Security
Protocols that set in place so that packets are secure and enable network functionality
Q&S
Quality of Service-
Technologies used for to manga a networks bandwidth, latency, jitter, and error rates.
Admin can allocate what packets are a priority through this.
Port Mirror/SPAN
Switch port Analyzer- ability to copy one or more ports
Port Traps/TAPS
Test Access Point- hardware within a network that can copy all the packets that been sent through. \
Not good because that can be used in a Man-in-the-middle-attack.
Monitoring Services/NSM
Network Security Monitoring- A SERVICE that analyze network activity and alerting if network defenses have failed.
