CCSP Domain 3: Network and System Security in Cloud Flashcards
What cloud datacenter functions have to be performed on isolated networks?
- storage controller access
- management system control interface
- customer access provision
What is the purpose of a network security group in cloud?
control and govern network traffic to and from virtual machines (VMs), network interfaces, and subnets within a virtual network (VNet)
How is the traffic filtering enforced in network security groups?
by NSGs acting as a virtual firewall, which allows to enforce inbound/outbound traffic rules based on specific criteria - source and destination IP addresses, source and destination ports, and protocol types (e.g., TCP, UDP, ICMP)
How can NSGs aid logging and auditing?
by monitoring traffic that matches defined rules
How to capture packets within customer tenant?
with specilized CSP tools like Network Watcher (Azure) or VPC Traffic Mirroring (AWS)
What does Geofencing use to define geographical boundaries?
GPS or RFID
How is Geofencing used?
- restrict access to systems and services based on where the access attempt is being generated from
- prevent devices from being removed from the company’s premises
- identify unusual traffic and prevent misuse
What is a Virtual Private Cloud (VPC)?
allows users to create isolated and logically segmented private networks within a public cloud environment; enable organizations to have control over network configuration, IP address allocation, routing, and security settings while leveraging the benefits of cloud computing
What CSPs use the Virtual Private Cloud (VPC) terminology?
AWS, GCP
How is Virtual Private Cloud (VPC) called in Azure?
vnet
How can virtual networks be connected to other networks?
- VPN (transit) gateway - S2S connectivity
- network peering - used in private networks within cloud
How to think of a VPC?
as a logically separated piece of a cloud; like a private data center
VPC is the foundation for what resources?
compute
What do VPCs belong to?
a region; span across all availability zones within the region
What can a VPC contain?
- Internet Gateway (IGW) or Virtual Private Gateway (VGW)
- Route Tables
- Network ACLs (NACLs):
- Security Groups or Network Security Groups (NSGs)
- Peering Connections
- VPN Connections or Direct Connect
- Elastic IP Addresses (EIPs)
- DNS Resolution and Hostnames
- Flow Logs and Monitoring
- VPC Endpoints (Service Endpoints)
- NAT Gateway or NAT Instance
A subnet in a VPC is tight to how many availability zones?
a single one
How are external IP addresses assigned?
- upon a compute resource creation, it needs to be specified, whether public IP is required - these IPs are assigned by CSP
- these IPs change when the instance is stopped and started again; IP that sticks can be assigned through Elastic IP (AWS)
What is a screened subnet?
subnet that is placed between two routers or firewalls; bastion hosts are located within that subnet
What is message authentication code (MAC) used for?
to verify non-repudiation by using a session key; electronic financial transfers requently use MACs to preserve data integrity
What is hash-based message authentication code (HMAC)?
special type of MAC with a cryptographic hash function AND a secret crypto key
What does HMAC simultaneously verify?
data integrity and message authenticity
What’s the Azure’s and AWS’s name for bastion?
- Azure - Azure Bastion
- AWS - AWS Transit Gateway
When hardening a system, what should be done with the registry?
access should be restricted, and updates controlled through policy, where possible; backup should be created before changes are made
What tool is used for disk encryption in Linux?
dm-crypt