CCSP Domain 3: Network and System Security in Cloud

Question 1

What cloud datacenter functions have to be performed on isolated networks?

Answer 1

1. storage controller access
2. management system control interface
3. customer access provision

Question 2

What is the purpose of a network security group in cloud?

Answer 2

control and govern network traffic to and from virtual machines (VMs), network interfaces, and subnets within a virtual network (VNet)

Question 3

How is the traffic filtering enforced in network security groups?

Answer 3

by NSGs acting as a virtual firewall, which allows to enforce inbound/outbound traffic rules based on specific criteria - source and destination IP addresses, source and destination ports, and protocol types (e.g., TCP, UDP, ICMP)

Question 4

How can NSGs aid logging and auditing?

Answer 4

by monitoring traffic that matches defined rules

Question 5

How to capture packets within customer tenant?

Answer 5

with specilized CSP tools like Network Watcher (Azure) or VPC Traffic Mirroring (AWS)

Question 6

What does Geofencing use to define geographical boundaries?

Answer 6

GPS or RFID

Question 7

How is Geofencing used?

Answer 7

1. restrict access to systems and services based on where the access attempt is being generated from
2. prevent devices from being removed from the company’s premises
3. identify unusual traffic and prevent misuse

Question 8

What is a Virtual Private Cloud (VPC)?

Answer 8

allows users to create isolated and logically segmented private networks within a public cloud environment; enable organizations to have control over network configuration, IP address allocation, routing, and security settings while leveraging the benefits of cloud computing

Question 9

What CSPs use the Virtual Private Cloud (VPC) terminology?

Answer 9

AWS, GCP

Question 10

How is Virtual Private Cloud (VPC) called in Azure?

Answer 10

vnet

Question 11

How can virtual networks be connected to other networks?

Answer 11

1. VPN (transit) gateway - S2S connectivity
2. network peering - used in private networks within cloud

Question 12

How to think of a VPC?

Answer 12

as a logically separated piece of a cloud; like a private data center

Question 13

VPC is the foundation for what resources?

Answer 13

compute

Question 14

What do VPCs belong to?

Answer 14

a region; span across all availability zones within the region

Question 15

What can a VPC contain?

Answer 15

• Internet Gateway (IGW) or Virtual Private Gateway (VGW)
• Route Tables
• Network ACLs (NACLs):
• Security Groups or Network Security Groups (NSGs)
• Peering Connections
• VPN Connections or Direct Connect
• Elastic IP Addresses (EIPs)
• DNS Resolution and Hostnames
• Flow Logs and Monitoring
• VPC Endpoints (Service Endpoints)
• NAT Gateway or NAT Instance

Question 16

A subnet in a VPC is tight to how many availability zones?

Answer 16

a single one

Question 17

How are external IP addresses assigned?

Answer 17

• upon a compute resource creation, it needs to be specified, whether public IP is required - these IPs are assigned by CSP
• these IPs change when the instance is stopped and started again; IP that sticks can be assigned through Elastic IP (AWS)

Question 18

What is a screened subnet?

Answer 18

subnet that is placed between two routers or firewalls; bastion hosts are located within that subnet

Question 19

What is message authentication code (MAC) used for?

Answer 19

to verify non-repudiation by using a session key; electronic financial transfers requently use MACs to preserve data integrity

Question 20

What is hash-based message authentication code (HMAC)?

Answer 20

special type of MAC with a cryptographic hash function AND a secret crypto key

Question 21

What does HMAC simultaneously verify?

Answer 21

data integrity and message authenticity

Question 22

What’s the Azure’s and AWS’s name for bastion?

Answer 22

• Azure - Azure Bastion
• AWS - AWS Transit Gateway

Question 23

When hardening a system, what should be done with the registry?

Answer 23

access should be restricted, and updates controlled through policy, where possible; backup should be created before changes are made

Question 24

What tool is used for disk encryption in Linux?

Answer 24

dm-crypt