3.3 secure network designs

Question 1

screened subnet

Answer 1

aka DMZ

a network architecture that uses a single firewall with three network interfaces.

Interface 1 is the public interface connected to the internet
Interface 2 connects to the demilitarized zone (DMZ)
Interface 3 connects to the intranet

Question 2

extranet

Answer 2

private network that allows organizations to share information and applications with third parties. Third parties may include: Suppliers, Partners, Customers, Other businesses.

Question 3

concentrator

Answer 3

encryption and decryption in a device
usually in the firewall

Question 4

L2TP

Answer 4

Layer 2 tunneling protocol

a computer networking protocol that creates a connection between a device and a VPN server.

Question 5

BPDU guard

Answer 5

SPANNING TREE PROTECTION

bridge protocol data unit guard

a security feature that protects the Spanning Tree domain from external influence

Question 6

NAT gateway

Answer 6

network address translation

It’s a process that maps multiple private IP addresses to a single public IP address. This is done by changing the header of IP packets while they’re in transit through a router.

NAT can help improve security, privacy, and network performance. It can also reduce the number of IP addresses an organization needs.

Question 7

FIM

Answer 7

file integrity monitoring

tests and checks operating system (OS), database, and application software files to determine whether have been tampered with or corrupted.

Question 8

network based firewall

Answer 8

filter traffic by port number or app
encrypt traffic
layer 3 device
NAT functionality

Question 9

stateless firewall

Answer 9

Stateless firewalls protect networks based on static information like the source and destination.

doesn’t understand traffic flows, rule based, relies on ACL

clunky, outdated technology

Question 10

stateful firewall

Answer 10

network-based firewall that monitors the state of active network connections. It also analyzes incoming traffic for potential risks.

most are stateful, secure, and intelligent

Question 11

UTM

Answer 11

universal threat management
all-in-one security appliance

A UTM appliance will usually include functions such as: antivirus, anti-spyware, anti-spam, network firewalling, intrusion detection and prevention, content filtering and leak prevention. Some units also provide services such as remote routing, network address translation (NAT), and virtual private network (VPN) support. The allure of the solution is based on simplicity, so organizations that may have had individual vendors or appliances for each separate security task can now have them all under one vendor umbrella, supported by one IT team or segment, and run through one console

Question 12

WAF

Answer 12

web application firewall
applies to PCI DSS

Question 13

proxies

Answer 13

a server application that acts as an intermediary between a client and a server. Proxies can be software or hardware.
- access control
- url filtering
- content scanning

Question 14

jump server

Answer 14

A jump server creates a barrier between networks, which provides an extra layer of security against outsiders who may want to access sensitive company data.

Increase security: Create a barrier between networks and separate the user workstation from network assets

Reduce exposure: Minimize direct connections to internal resources, reducing the risk of security threats

Question 15

HSM

Answer 15

hardware security module

safeguards and manages secrets (most importantly digital keys), performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions

can be an appliance for multiple endpoints

Question 16

load balancing persistence

Answer 16

a load balancing function that routes connections to the same device. This technique is also known as “sticky sessions”.

Question 17

NAC

Answer 17

Network Access Control (NAC) is a security method that uses protocols and policies to restrict access to a private network. NAC also unifies endpoint security technology, user authentication, and network security enforcement.

Agent-based NAC
Requires software agents to be installed on endpoints
Assesses security posture and controls access through policy enforcement
Works best for simple workloads with standard configurations and operating systems

Agentless NAC
Doesn’t require software installations on endpoint devices
Relies on device and user behaviors to trigger enforcement decisions
Ideal for complex, large-scale environments

Question 18

Out-of-band management

Answer 18

a method for remotely controlling and managing network equipment and critical IT assets. It uses a secure protocol connection through a secondary interface that is separate from the primary network connection.

Question 19

NIDS

Answer 19

Network Intrusion Detection System

inline - Inline sensors are placed directly in the data path, between the source and destination. They can take immediate action, such as blocking traffic, when an attack is detected.

passive - only monitor network traffic to detect and alert about security threats. A passive IDS that detected malicious activity would generate alert or log entries but would not take action.

Question 20

NIPS

Answer 20

Network Intrusion Prevention System

Question 21

ACL

Answer 21

access control list

installed in routers or swithes

table of a set of rules that specify which users or systems have access to a resource.

Question 22

QoS

Answer 22

Quality of Service

a set of technologies that manage network traffic and ensure the performance of critical applications. QoS can also refer to the overall performance of a service, such as a computer network, cloud computing service, or telephony.