CCCS Flashcards
Meaning SDDC
Software defined datacenter
Meaning CSP
Cloud Service Provider
SDN Benefits
Deliver and share system resources quickly and efficiently.
3 layers of SDN framework
Control Layer
Infrastructure Layer
Application Layer
How does Control Layer of the SDN operate
SDN operations using OpenFlow protocol to connect supported devices
What is contained within Infrastructure Layer SDN
Represents physical components e.g. switches and routers
What does the Application Layer of an SDN provide
Open areas to develop end-user apps and services. It also includes configuration, management, monitoring, t-shooting, policies and security
Conventional Network V SDN Architecture
Control plane and data plane fused; therefore limits capacity of virtualizing network resources.
What role API play SDN
API’s are send to send and receive requests to resources
How is SDN routing differ from conventional
direct software programming of routing instead of relying routing protocols
Three Types of Cloud Deployment
- Public
- Private
- Hybrid
Three Cloud Service Model
Infrastructure-as-a-Service (IaaS)
Platform-as-a-Service (PaaS)
Software-as-a-Service (SaaS)
What are the features Infrastructure-as-a-Service (IaaS)
IaaS solutions host data center infrastructure and help customize design of their SDNs.
What features Platform-as-a-Service (PaaS)
PaaS provides organizations with virtual resources that support developing software
What features Software-as-a-Service (SaaS)
SaaS refers to a cloud service that delivers applications to an organization’s end users through a web browser.
What is AWS network called
VPC
What is Azure network called
vNet
What is GCP network called
VPC Network
What is AWS access to the internet called
Internet Gateway
What is Azure internet called
Public IP
What is GCP access to the internet called
Internet Gateway Route
What is AWS autoscaling called
AutoScaling Groups
What is Azure autoscaling called
Virtual Machine scale sets
What is GCP autoscaling called
Instance groups
What is the basis for AWS access control
Security groups
What is the basis for Azure access control
Network security group
What is the basis for GCP access control
Firewall rules
What is AWS automation called
Cloud Formation
What is Azure automation called
Cloud Deployment Manager
What are advantages of cloud
- Flexible
- Efficiency
3, Accessibility - Savings
- Innovation
- Opportunities
What is a limitation of CSP Native Security Controls
Lacking and generally only cover the infrastructure
What direction are attacks not often protected from
Lateral Threats
Why are traditional network attacks more abundant in the cloud.
rapidly changing workloads
Four Cloudguard offerings for private and public cloud
IaaS for Public Cloud
IaaS for Private Cloud
SaaS
Dome9
What is the difference between Public and Private CloudGuard IaaS
Public (AWS) v Private Vendors (ESXi)
What type of applications CloudGuard SaaS protect
Email and other SaaS based apps (dropbox..Etc)
What type of Cloudguard provides security posture management and compliance.
CloudGuard Dome9
What characteristics best define CloudGuard
Centralized Management
Cloud Diversity
Dev Ops Ready
Adaptive and Automatic
What do security layers in policy provide
Granular control and access delegation
What are the primary components of SMS
- SmartConsole
- Management Server
- SmartEvent (optional)
What does the Cloud GuardController do?
provides visibility and allows for automation and adaptive secuirty
What do CloudGuard IaaS security Gateways provide
perimeter and east-west traffic protection in public / private cloud
In Cloudguard what functionality does the identity awareness blade provide.
Allows security policy to be defined by cloud resources collected by the CloudGuard controller
Elastic licensing
Licensing that provides quick provisioning of assets using cores licensed to deployed gateways.
The shared security model requires consumers to provide what 2 items.
Data Security
Network access security
CloudGuard IaaS defends cloud resources via
firewall
data security
advanced threat prevention
forensic analysis
What are the five underlying security principles of secure public cloud
Security with Advanced Threat Prevention Network Segmentation Agility Automation. Efficiency, and Elasticity Borderless
What are the three layers of network segmentation within the CloudGuard solution.
- The first layer applies a Security Gateway that enforces firewall policies to accept legitimate network traffic flows and deny unauthorized network traffic.
- The second layer uses advanced Threat Prevention Software Blades to extend the Security Gateway’s traffic inspection by identifying and blocking malicious behavior within east-west traffic flows.
- The third layer advances security with micro-segmentation to allow a clear separation of networks and different operating concerns associated with Development. Operations, and IT teams.
Define micro-segmentation
Micro-segmentation creates boundaries by placing inspection points between different applications, sendees, senders, and single hosts within the same network segment.
Why use hub and spoke for Cloud Blueprint
All traffic that enters and exits each spoke must travel through a hub. Spokes use network segmentation to clearly separate SDNs from one another and isolate their workloads. This allows differing ownership in the spoke while controlling security in the hubs
What is a hub in a secure public cloud blueprint layout
Hubs operate as software defined data centers that use Security Gateways in combination with network traffic load balancers to protect the cloud’s perimeter according to its current scale. Each hub manages and delivers traffic to the spoke networks. Individual hubs communicate with one another through the SDN’s routing switches.
What type of traffic does the northbound hub protect
The Northbound hub serves as the front end of the SDDC that permits inbound web communications such as HTTP traffic from the Internet to reach spoke SDNs.
What components commonly in northbound hub
Public IP
External Load Balancers
Security Gateways
Does any inbound traffic not go through northbound hub
Non-transitive traffic, done through peering
What does southbound hub do
outbound transit traffic from the spokes
communication applications
software updates
VPN
What do you use to avoid double NAT in a Azure Southbound peering
UDR (User defined routes)
How do you route transit transit traffic without a UDR in AWS & GCP
VPN’s, leveraging VTI (VPN tunnel Interface) and BGP
OSPF cannot be used layer 2, which does not exist cloud
Checkpoint HA CSP Hub Limitations
two Security Gateway members
AWS and Azure require Security Gateways to reside in the same location in a region
SDNs do not allow HA with state synchronization failover
Which hub (north or South) allows automatic HA deployment
Northbound
What components are commonly found southbound hub to support SDDC connectivity
Load Balancers
VPN Gateways
At a minimum what components should be present in a secure public cloud blueprint
SMS
one or two hubs with security gateways (IaaS)
Peering connection between spokes
Following the Secure Cloud Blueprint what is the Azure recommended config
- Northbound Hub - Supports incoming public facing Internet traffic.
- Southbound Hub - Manages outbound access to Internet and VPN connections to corporate on-premise locations
- Spoke - Represents segmented SDNs with different resources, security, and access levels (IPSEC + BGP)
- CloudGuard Auto Scaling - Protects the Northbound hub entrance with an elastic set of automated Security Gateway deployments.
- Spoke - Represents segmented SDNs with different resources, security, and access levels.
(See document for diagram for more specifics)
Moving applications or services in an SDDC significantly improves what?
Less time
Resources
in a public cloud what are two ways of IaaS Security gateway deployment.
Standalone=Combined security gateway and management
distributed= seperate vm for gateway and management
Why might it be preferred to deploy SMS not in the cloud, but on prem
Can then manage on prem gateways as well as cloud instances
SDDN cluster limitations
- Cluster installations support High Availability mode only. This cluster configuration excludes ClusterXL load sharing or the Virtual Router Redundancy Protocol (VRRP)
- Security Gateways with HA configurations must communicate with the SDDC to achieve failover with the secondary Security Gateway member. The failover process requires extra time to complete since the Security Gateways must communicate with the SDDC first.
- Clusters must include a maximum of two members.
- Avoid deploying management servers and cluster members in a stand alone configuration.
- Both cluster members must reside in the same region and location.
Three ways you can deploy CloudGuard IaaS
- CSP Portal - Provides access to create, view, and manage CloudGuard resources.
- PowerShell - Uses predefined CloudGuard IaaS Security Gateway templates for automated deployments.
- Command Line Interface (CLI) - Launches CloudGuard Security Gateways with command line scripts.
Understanding CSP resources “Geographic Region”
AWS uses Availability Zones
Azure refers to them as Locations
GCP describes them as Zones
Understanding CSP resources “Network”
Make sure correct network association
New cloudguard IaaS will be needed to protect each network segment
Understanding CSP resources “Subnets”
only contains itself and no other VM’s
Understanding CSP resources “Public IP”
Public IP: Ensure static IP for external
Understanding CSP resources “Private IP”
Private IP: Internal resource connectivity
Understanding CSP resources “Load Balancers”
- In the cloud’s inbound perimeter, external load balancers direct Internet traffic to spoke networks with an inbound NAT configuration.
- Within spoke networks, internal load balancers distribute traffic loads between servers.
Understanding CSP resources “Security Group”
- protects inbound and outbound traffic access to virtual machines.
- VMs in the same subnet receive coverage from different Security Groups
- VMs do not receive a Security Group assignment during their deployment, the CSP assigns a default Security Group to them.
Understanding CSP resources “Tags”
CSPs use tags (labels) to attach identifying information to cloud resources
CloudGuard Controller uses tags to discover new. automated CloudGuard IaaS Security Gateway deployments to include in the Security Policy.
Understanding CSP resources “Identity and Access Management”
Identity and Access Management (IAM) credential represents a user or application that needs to contact the SDDC to cany out an operation.
Activating IAM permission on CloudGuard IaaS required add client-id during VM deployment
What to check when deplying CloudGuard IaaS
Tags - Review each VM to confirm it reflects the correct tag associations.
IAM - Verify each CloudGuard IaaS deployment contains the relevant IAM client-id and client-secret credentials.
Networks and Subnets - Examine each CloudGuard deployment and validate that it maps to the correct SDN and subnet.
Installation Time - Wait for the deployment process to finish completely before proceeding with the next phase of configuring security protections.
Some CSP related issues when deploying IaaS
AWS - Register software subscription agreements before deploying CloudGuard IaaS VMs or the CSP will roll back the deployment.
Azure - CloudGuard IaaS deployments require approximately fifteen minutes to finish.
What are the five management tools in CloudGuard IaaS to create and manage policy
- Gaia Portal
- Smartconsole
- CLI
- Security Objects
- Rule base
What is Gaia Portal
Functions as the primary web user interface for the Gaia OS platform. Through this portal, Security Administrators may configure the SMS and Security Gateway properties.
What is SmartConsole
Acts as a GUI that configures and enforces the Security Policies that protect the environment)
What are Security Objects
Represent all the network components such as Security Gateways, web servers, networks, and services.
What is CLI
Provides the interface that activates commands to configure the operation of the CloudGuard IaaS security solution.
What is Rule Base
Establishes a set of rules that define and protect the SDDC’s perimeter and connections to SDNs.
What are to types of policy approaches used in Check Point Policy
- Ordered
2. Inline
What is Ordered Policy
Performs one or more security actions to the rule base in a top-down order against every layer of the Security Policy.
What is Inline Policy
Optimizes the rule matching process by reusing the same security layer in the same policy or in multiple policies.
CloudGuard IaaS security policy combines what two policy types
- Traditional Security Policy
2. Context Aware / Adaptive Policy
What does an adaptive security policy provide
- This policy format broadens the scope of network security by protecting resources created from one or more CSPs.
- application owners gain control of their application deployments since they can add and remove resources without impacting security.
Which cloud defined objects assist in security policy creation
- Data Center Objects
2. Tags
What can an imported data center object contain
subnets,
hosts,
tags
entire cloud data center
What options are available when importing data center objects
Region View - Imports SDNs, subnets, and VMs as security objects by region.
Tags View - Identifies all VM resources with a specific tag key or tag value.
Search View - Uses a search field to locate a specific cloud resource.
What are some guidelines when creating tags
AWS allows only one data center per region to use a specific tag.
Azure and GCP associate tags with one data center per CSP subscription.
All CSPs permit assigning multiple tags to a single virtual machine
What components are required automated security policy
SMS
CloudGuard Controller
Security Gateway
What is the one thing that all gateways require to make API calls to SDDC
IAM private key registration
Where do you activate cloud guard controller to communicate via API calls to the SDDC
SMS
What does the SMS require to enforce policy on gateway
SIC
What component of CloudGuard scans the environment for changes in cloud resources.
CloudGuard Controller
What happens when CloudGuard Controller detects a new or modified object
New=create a new DC object
Modified=updates IA and then object configuration and then updates policy
How many phases in the cloudguard workflow.
2
What are the steps in phase 1
- Connect to the Cloud - Requires the Security Gateway to authenticate with the cloud environment with an IAM registration.
- Retrieve Cloud Resources - Imports cloud resources from Data Center A and stores them inside the CloudGuard Data Center server’s repository. After each scan, the system compares cloud objects m Data Center A against the Data Center objects stored m the Data Center Repository to synchronize any changes to the Security Policy.
What are the steps in phase 2
- Import Data Center Object - Add the Data Center object or its tag into a rule.
- Manual Security Policy Installation - Converts Data Center objects into an Identity Awareness Access Role, which authorizes the Security Gateway to receive dynamic updates any time the Data Center object’s configuration changes.
- Automated Access Role Updates - Uses the CloudGuard Enforcer to deliver Access Rol updates from the SMS to the Security Gateway.
What must gateways maintain with SMS to receive automated security policy updates
SIC
How do you check the state of the CloudGuard process
go to the CLI of the SMS and execute cloudguard on
How do you verify connectivity between SMS and SDDC
Open data center object in the SMS and select test configuration button
What log is used for t-shooting CloudGuard Controller
Cloud_proxy.elg
What type of traffic needs to be allowed between SDDC and security gateway
http
VPN connections
HIgh availability sync
SDDC traffic
What does the forward proxy provide in traffic management
converts web traffic going from spoke to internet 8080 to 80 so can be delivered northbound hub
Does each security gateway require a VPN domain for connectivity
yes
What type of VPN domain configuration is required to communicate SDN
Star
What is the required setting for high availability gateway sync
Eth0 & Eth1 must have Sync as their type (may need to be changed depending on CSP mods)
Does the CSP or the gateway provide anti-spoofing
The CSP, if not disabled on gateway may reject load balancer traffic
What setting is required to ensure the original IP address information
Gateways X-forward setting (CSP does not hide the source IP of internet traffic behind load balancers
Describe the components that CloudGuard IaaS uses to develop a Security Policy.
- Gaia Portal - Functions as the primary web interface for the Gaia OS platform. This tool configures SMS and Security Gateway properties
- Smart Console -Acts as a GUI that configures and enforces the Securityt Policies that protect the environment
- Security Objects - Represent all the network components in the cloud environment such as Security Gateways, web sewers, networks, and sendees
- CLI - Provides the interface that activates commands to configure the operation of the CloudGuard IaaS security solution
- Rule Base - Establishes a set of rules that define and protect the SDDC’s perimeter and connections to SDNs
Discuss the phases of the CloudGuard Controller workflow process to import and secure cloud Data Center objects.
Phase I:
The Security Gateway must establish a secure connection to the cloud with an IAM registration.
Then the CloudGuard Controller scans the cloud and pulls Data Center objects from the data center and stores them inside the Data Center Repository. The Controller continues to scans the environment to fmd changes to Data Center objects. When the system finds a modified Data Center object, it updates the Security Policy with the changes.
Phase 11: Incorporates Data Center object changes into the Security Policy:
First, import the Data Center object or its tag into a rule.
Next, manually install the Security Policy so the object converts into an Identity Awareness Access Role that the Security Gateway can monitor and update any time the Data Center object changes.
After, the manual Security Policy installation, the CloudGuard Enforcer automates the deiner of Access Role updates from the SMS to the Security Gateway.
Discuss the traffic management settings that Security Gateways to accept traffic from the cloud.
The Forward Proxy setting allows the Security Gateway to transfer outgoing proxy traffic out of a spoke to reach the Internet.
Security Gateways require a VPN domain configuration to connect with SNDs in the SDDC. The VPN domain requires a star configuration that accepts center-to-satellite connections
High Availabililty Security Gateway cluster members require their ethO and ethl interfaces to include the Sync network type setting.
Security Gateways must include a configuration that disables Anti-Spoofing to accept legitimate traffic from load balancers.
The X-Forwarding setting allows Security Administrators to see original packet’s IP address information.
Describe the two advantages of deploying resources in the cloud.
- Creating new deployments or transferring resources to another SDN requires less time.
- Issuing new applications instead of deploying hardware streamlines deployment processes and involves fewer resources.
Identify the limitations associated with deploying a CloudGuard Security Gateway cluster.
Cluster installations support High Availability mode only.
The failover process requires extra time to complete since the Security Gateways must communicate with the SDDC first.
Clusters must include a maximum of two members.
Avoid deploying management servers and cluster members in a stand alone configuration. Both cluster members must reside in the same region and location.
Discuss which network setting misconfigurations impact the success of CloudGuard deployments.
Missing tags prevent VMs from reflecting the correct network associations.
VMs without 1AM user credentials cannot communicate with the SDDC.
Describe the elements of the CloudGuard architecture
Security Management Platform - includes a Management server core, SmartConsole, GUI, and SmartEvent to perform security operations and reporting functions
CloudGuard Controller - a sub-component of the Security Management Server that gathers cloud resources to define Security Policy with an identity-based context.
Security Gateway Protections - Virtual Machines that operate in the cloud to protect its perimeter, secure east-west traffic, and establish l^PNs to securely connect SDNs with onpremises networks.
Next Generation Threat Prevention - Inspects cloud applications and virtual resources for malicious threat activity.
Identity Awareness - Monitors and logs traffic based on the identity of cloud resources.
Elastic Licensing - Uses a central license pool to add/remove licenses to Security Gateway deployments.
Discuss the components of the Secure Public Cloud Blueprint.
Hubs - Operate as Software Defined Data Centers that permit inbound/outbound web traffic into the perimeter of the data center. Northbound hubs include public IP addresses, external load balancers, and automated CloudGuard IaaS Security Gateways. Southbound hubs manage outbound Internet traffic and transit traffic connections between the SDDC and on-premise networks.
Spokes - Function as isolated environments for applications and services. Spokes allow internal access and/or public access to their contents.
Network Connections - Peering connects SDNs directly without going through hubs to reach spoke networks.
Identify the minimum system requirements of a secure public cloud.
A secure public cloud should include a Security Management Server that resides in the SDDC or in an on-premise location. The environment should also contain one or two hubs with CloudGuard IaaS Security Gateways, and Peering connections between spoke networks.
Discuss the advantages of cloud network architecture?
Enables direct programming of the network configuration to improve network performance and monitoring.
Uses a centralized management layer to deliver faster performance than conventional networks.
Allows virtualization of network resources to process at faster speeds and dynamically respond to network loads.
Describe the cloud service models and their benefits
laaS - Hosts an infrastructure to create custom SDNs and store data. This service model meets the requirements of network architects.
PaaS - Build software applications, web servers, and databases in an SDN managed by CSP. 77iis service model also provides organizations with needs to develop, test, and deploy their applications.
SaaS - Delivers applications for end-users to consume through a web browser. CSPs manage and host data for the application and the OS. This service model reduces operating expenses and IT resources to deploy SaaS.
Which SDN components provide advantages to cloud networking in comparison to traditional networking.
The SDN controller centralizes management of SDN operations.
Programmable routing switches deliver network traffic in the most optimal, efficient route possible.
The Application layer provides automation capabilities for network functions and services.
Describe the CSP resources that support automation.
REST APIs support the interactions between cloud resources, on-premise equipment, scripts, orchestration playbooks, and CloudGuard IaaS.
CLIs carries out repetitive tasks, communicates with the SDN’s OS, and perform scripts that automate processes.
Scripts represent written programs that automate the execution of operational tasks.
PowerShell operates as an open source platform with a command line shell and a scripting language that can access services in the OS to automate tasks.
Templates use text files to generate scripts to create automated deployments.
Describe the orchestration playbook process for creating a new spoke and an automated Security Gateway.
An event trigger initiates an orchestration playbook.
The playbook launches a template to deploy an automated resource and configure its application software.
To protect the new resource, the playbook deploys a Security Gateway.
The Security Gateway receives a new inline Security Policy to protect the spoke.
What is the primary difference between vertical and horizontal autoscaling?
Vertical scaling requires a virtual machine to completely shut down while system resources move to a different size machine.
Horizontal scaling achieves the transfer of resources to a different VAS automatically without the need to power down the VM
Identify the process CloudGuard Dome9 uses to integrate with cloud accounts.
Dome9 requires LAM account credentials to connect to public cloud accounts through REST APIs. Once connected it gathers cloud configuration data to deploy protections.
Describe the CloudGuard Dome9 mechanisms that administer automated compliance remediation’s.
Automated software applications known as CloudBots address non-compliance issues. CloudBots operate in the cloud account to perform remediations such as quarantining or germinating cloud instances. Automatic remediation may apply to a single cloud account or several cloud accounts at one time.
Discuss the module that uses cloud data analytics to provide an overview of the cloud account’s security status.
Magellan operates as an intelligent threat prevention technology and an investigative tool that examines and gathers information about cloud activity. This module gathers cloud inventory, cloud configurations, system monitoring, and intelligence. Security Administrators may use this information to streamline Network Security operations, reduce the lead time for threat detection, and detect abnormal use of cloud resources.
The Cloud Blueprint Provides
Automating or auto-provisioning Security Gateway deployments follows a predefined repeated, consistent deployment process to adapt to the environment’s capacity.
Which hub provides the ability for automating Cloud deployment
Northbound
Auto deployment follows these steps
- An event trigger or a set of triggers monitors the traffic volume and responds when traffic increases.
- When (the Security Gateway capacity reaches a defined threshold, the event trigger initiates deploying a new automated Security Gateway.
- The new Security Gateway operates in a High Availability mode after it receives a Security Policy to enforce.
What CSP automation tools are used to provide automated deployment
- API
- CLI
- Scipts
- Powershell
- Templates
API
Public clouds and Hybrid clouds use Representational State Transfer (REST) APIs to support the interactions between cloud resources, on-premise equipment, scripts, orchestration playbooks.
What operations are done via API with CloudGuard IaaS
- Automate creating and deleting policy objects
- Access Roles, VPN domains, and session management
- Build, publish, and install Access Control and Threat Prevention Security Policies
- Contact the SDDC
- Authorize the identity of Data Center objects
What does CLI allow
efficient tool for carrying out repetitive tasks in an automated manner.
What functions of CLI does the SMS server leverage
- Process scripting commarjds
- Transfer data between SDNs
- Manage day-to-day troubleshooting
- Examine configuration and operational issues
What are scriptsand how is it used
Scripts represent written programs that send instructions to APIs in order to automate the execution of operational tasks. CloudGuard uses JavaScript Object Notation (JSON), a language independent script, to develop templates that automate Security Gateway deployments.
What is powershell and how is it used
PowerShell operates as an open source platform tool that includes a command line shell and a scripting language. The command line shell provides access to services within the OS for the purpose of automating tasks. Each CSP provides their own PowerShell tool to develop automation scripts.
What are templates and how is it used
- Templates represent text files with JSON scripts that automate cloud deployments.
- CloudGuard IaaS deployment templates support SMS and Security Gateway configurations
- An infrastructure deployment service in a CSP Portal creates and manages automated deployment templates
What is the name of each CSP Template resource
AWS :CloudFormation
Azure: Resource Manager
Google Clouds: Deployment Manager
What component is essential in SDDC to automation.
APIs as they have an orchestration layer
What initiates a playbook for automation
event trigger
A common orchestration platform that has a checkpoint module
Ansible
What is autoscaling
Autoscaling deploys identical VMs, and other resources such as Security Gateways, as a single group
What tools does autoscaling leverage within the CSP
- CSP Portal
- CLI
- Powershell
Does autoscaling require pre-provisioning
No
What determine the scale of the automated deployements
Rules
Common event triggers
- performance metrics
- Application resources
- Time schedules
What are two types of autoscaling
- Vertical
2. Horizontal
Characteristics of vertical scaling
- Tune env up and down (e.g. smaller to bigger VM)
2. Requires shutdown of resources
Characteristics of horizontal scaling
- adds or removes resources
2. no system shutdown
Which autoscaling method is recommended by Check Point Secure Cloud Blueprint
Horizontal
api status
Performs a system check of the API status.
api restart
Restarts the API
api reconf
Reconfigures the API instead of restarting it.
service autoprovision test
Checks the connectivity of auto- provisioned resources and identifies auto-provisioning issues.
tail -f$FWDIR/log/autoprovision.elg
Reveals any issues that occur during the autoprovision process.
‘tail -f $FWDIR/log/api.
Investigates system issues with API calls
Important log files to debug
/var/log/doiid-user-data /varlog/ ftwinstall. log SFWDIR/log'autopro vision. elg * files SFWDIR/conf/autoprovision j son file /opt'CPsuite-RSO/fw 1 /scripts/monitor.py
Describe the CSP resources that support automation
- REST APIs support the interactions between cloud resources, on-premise equipment, scripts, orchestration playbooks, and CloudGuard IaaS.
- CLI carries out repetitive tasks, communicates with the SDN’s OS, and perform scripts that automate processes.
- Scripts represent written programs that automate the execution of operational tasks.
- PowerShell operates as an open source platform with a command line shell and a scripting language that can access services in the OS to automate tasks.
Describe the orchestration playbook process for creating a new spoke and an automated Security Gateway.
- An event trigger initiates an orchestration playbook.
- The playbook launches a template to deploy an automated resource and configure its application software.
- To protect the new resource, the playbook deploys a Security Gateway.
- The Security Gateway> receives a new> inline Security Policy to protect the spoke.
What is the primary difference between vertical and horizontal autoscaling?
- Vertical scaling requires a virtual machine to completely shut down while system resources move to a different size machine.
- Horizontal scaling achieves the transfer of resources to a different VÙT automatically without the need to power down the VM.
CloudGuard Dome9 capabilities
- Detect and remediate cloud native security misconfigurations
- Protect against identity theft and data loss prevention
- Visualize and assess the security posture of hybrid clouds
- Enforce compliance standards across multi-cloud environments
CloudGuard Dome9 serves organizations that support following characteristics:
- Environments that support an integrated DevOps culture
- Public clouds for Development and Testing operations
- Organizations using IaaS public clouds such as AWS, Azure, and GCP
- Data centers with cloud-based production systems
Dome9 uses what to connect, communicate, and collect information from cloud accounts and third party tools.
APIs
CloudGuard Dome9 consists of what modules
- Cloud Inventory
- Network Security
- Compliance and Governance
- IAM Safety
- Magellan
What does the Cloud Inventory module provide.
Automates collecting inventory data from cloud environments.
What does the Network Security module provide.
Provides a real-time regional topology map of cloud networks.
What does the Compliance and Governance module provide.
Verifies compliance against industry standards.
What does the IAM Safety module provide.
Granularly controls IAM users, roles, and actions
Magellan
Analyzes cloud traffic and audits security events to provide an overview of the cloud’s security status.
What allows CloudGuard Dome 9 to connect to the CSP’s
IAM credentials
What fundamental operations do rest Rest APIs provide in Dome9
- system notifications
- detect new cloud resources
- deliver threat intelligence feeds
- Enforce compliance policies
- Apply security enhancements to the environment
What procedures do Rest APIs perform
- Manage locking and unlocking cloud-based Security Groups and regions
- Create time-sensitive, on-demand dynamic access leases to services and ports
- Run the compliance engine and Security Policy groups
- Remediate non-compliant cloud resources with Cloudbots
Is CloudGuard Dome 9 install an agent
No, it is agentless
Does CloudGuard Dome 9 set a default security posture after install
yes
What authentication method does CloudGuard Dome 9 support for administration
- Username and Password
- SSO
- 2-Factor
What are the role designation in CloudGuard Dome 9
- Super User - Accesses and manages account resources, creates new users, and modifies other user’s privileges.
- Account Owner - Retains Super User privileges and manages CloudGuard Dome9 account related issues such as billing and subscription plans.
- Normal User - Assigns privileges to manage account access, create new servers, or issue Security Groups.
Which 2 role definitions can grant user permissions actions in CloudGuard Dome 9
- Super Users
2. Account Owners
What are the permission typed provided by CloudGuard Dome 9
- Dynamic Access - Issue dynamic access leases to cloud accounts.
- Create - Generate Dome9 agents on hosts using legacy software versions.
- Manage - Create, change, or remove Dome9 account assets.
- View - Access all system resources with read-only privileges.
Two rule base bundles in CloudGuard Dome 9
- Best Practices Bundle - Contains all CloudGuard Dome9 rules.
- Network Security Bundle - Includes all port based rules and Network Security rules.
What is GSL, and what does it provide
Governance Specific Language (GSL), GSL provides a simple, but expressive language that defines configurations and network traffic flows.
Format: should < Condition
Ex. [key=’owner].
What feature of CloudGuard Dome 9 allows administrators to test policy without any damaging effects
CloudGuard Dome 9 Playground
Does CloudGuard Dome 9 provide an audit trail of access and actions
Yes
Where does a CloudGuard Dome 9 administrator manage cloud accounts and access
Cloud Inventory module
What operations does Cloud Inventory module perform
- Search for Cloud Accounts
- Review the security posture of cloud accounts)
- Apply uniform changes to the environment
- Respond to cloud account permissions behaviors
During CloudGuard Dome 9 acquisition in AWS, Azure, or GCP what are three operational roles you can assign, and what do they allow
- Read Only - Monitors and visualizes cloud accounts through CloudGuard Dome9.
- Full Protection - Enforces access to cloud accounts and reverts system changes to cloud assets or Security Groups
- Region Lock - Adds new Security Groups with Full Protection mode, which deletes all inbound ‘outbound Security Policy rules to the group.
What activities does the network security cloud module perform
- Visualizes Security Policies in cloud environments
- Manages Network Security Groups
- Controls access to protected cloud assets with short-term dynamic access leases
What does Clarity in CloudGuard Dome 9 provide to the administrator
Clarity displays the security posture of public clouds, which represents the cloud’s overall cyber security strength.
What are the two layers of visibility provided by Clarity CloudGuard Dome9
- contains a regional overview of the public clouds. This layer uses a topology map view to define each cloud’s relationship to one another.
- includes a Security Group view that maps cloud resources and services into security zones. Cloud resources and services reside in different Security Groups based on their level of exposure to the external world.
What CloudGuard Dome9 module provide a place to adjust security precautions and explains the effect of the changes
Network Security Module
What CloudGuard Dome9 module provides predefined reports about compliance and security
Compliance and Governance Module
What are the steps in the compliance workflow
- Initial Assessment
- Review Results
- Customize
- Continuous Monitoring
- Automated Remediation
Describe the Initial Assessment phase of the compliance workflow
Requires defining the compliance framework and assets that require compliance assessments.
Describe the Review Results phase of the compliance workflow
Identifies any system controls that counteract compliance and discovers non-compliant assets.
Describe the Customize phase of the compliance workflow
Creates a custom continuous compliance configuration with rules and exceptions to apply to specific resources in the cloud environment.
Describe the Continuous Monitoring phase of the compliance workflow
Delivers system notifications and compliance reports that reveal cloud resources which require compliance updates.
Describe the Automated Remediation phase of the compliance workflow
Administers compliance remediation efforts with automated software applications known as CloudBots and integrates with third party remediation tools.
What dashboard provides an overview of security policy configuration
Compliance Dashboard
What tool automates the notification and remediation of compliance issues
The continuous compliance tool
What features of CloudGuard Dome9 actively fixes out of compliance assets
CloudBots
Can CloudBots remediate a single or multiple clouds.
Multiple Clouds
What automatic remediation’s can be done by CloudBots
- Encrypt databases
- Rotate encryption keys
- Force password changes
- Quarantine instances
- Add privacy settings to storage buckets
- Suspend users or roles
What platform supports CloudBot auto remediation.
AWS
What authentication mechanisms are used for CloudGuard Dome9 IAM account protections
- Two-factor
2. Attribute based authorization
What does CloudGuard Dome9 Privileged Access Protection provide
time-sensitive authorization
Is it recommended to apply CloudGuard Dome9 protections before or after IAM accounts have receive access to protected assets
Before
CloudGuard Dome9 IAM protections fall into 2 types
- Protected - Blocks any protected IAM user from applying protected actions to cloud services
- Protected with Elevation - Authorizes CloudGuard Dome9 users access to protected services for a limited time period.
What feature of CloudGuard Dome9 protects security groups from unapproved changes
CloudGuard Dome9 tamper protection
How many types of IAM reports are available
2
Policy
Credential
What information is provided to CloudGuard Dome9 Magellan in determining security status.
- Cloud account configurations
2. Data flows
What functions does CloudGuard Dome9 Magellan serve
- intelligent threat prevention technology
2. investigative tool that examines cloud activity
What does Magellan cloud-native security intelligence mechanism deliver
- Intrusion Detection
- Network Traffic visualization
- Activity Analytics
What type of algorithms does CloudGuard Dome9 Magellan use
Object-mapping
How does Magellan streamline Network Security operations
- reduce the lead time for threat detection
- detect abnormal use of cloud resources
- compliance validation
- list of unapproved assets
What is included in Magellan’s enrichment engine.
- threat feeds
- geographic databases
- inventory, configuration
- traffic flow logs
- cloud native compliance and auditing data
What format is Maegllan’s enriched data displayed
Graphical
What graphical item are presented by Magellan
- Compliance notifications
- Intrusion Alerts
- Enriched log data stream
What predefine queries are provided by Magellan
- Login and Authentication - Reflects console logins from new regions, creating API keys in a new region, and brute force attacks on a cloud account.
- Security Configurations - Identifies outbound traffic using SSH or RDP, changes in the cloud account’s activity monitoring settings, and internal port scans.
- Resource Abuse - Scans the environment for new machine types in use. modifications to storage size, and database deletions.
Describe the CloudGuard Dome9 mechanisms that administer automated compliance remediation’s.
Automated software applications known as CloudBots address non-compliance issues. CloudBots operate in the cloud account to perform remediation’s such as quarantining or terminating cloud instances. Automatic remediation may apply to a single cloud account or several cloud accounts at one time.
Discuss the module that uses cloud data analytics to provide an overview of the cloud account’s security status.
Magellan operates as an intelligent threat prevention technology and an investigative tool that examines and gathers information about cloud activity. This module gathers cloud inventory, cloud configurations, system monitoring, and intelligence. Security Administrators may use this information to streamline Network Security operations, reduce the lead time for threat detection, and detect abnormal use of cloud resources.
Do you need to turn off Anti-spoofing in Azure
Yes, interfered with routing
What unit are AWS cloud formation templates organized into
Stacks
What CSP service do you need to employ to allow the SMS to autoprovision resources
IAM
What command do you run on SMS to see version of the autoprovision module
cat $FWDIR|/scripts/autoprovision/version
What is the command to establish autoprovision on the SMS server
autoprov-cfg
What is the command to check autoprovision configuration details on SMS
autoprov-cfg show all
What is the command to test autoprovision configuration on the SMS server
service autoprovision test
What is the command to set autoprovision template configuration on the SMS server
autoprov-cfg set template
