Chapter 3 Cloud and Physical Security

Question 1

What are the types of monitoring in network design?

Answer 1

Signature-based, network-based, and anomaly-based

Question 2

Explain network-based monitoring.

Answer 2

Attached to the network in a place where it can monitor all traffic for passive and active responses.

Question 3

Explain signature-based monitoring.

Answer 3

Watches for intrusions that match a known identity or signature against a “signature database”. Requires regular updates.

Question 4

Explain anomaly-based monitoring.

Answer 4

Detects unusual activities based on an initial learning period before anomalies can be detected. Is also referred to as behavior-based and heuristic-based detection.

Question 5

Explain behavioral-based monitoring.

Answer 5

Monitors behavior that is not allowed and acts accordingly.

Question 6

What is an appliance firewall and another name for it?

Answer 6

A “hardware firewall” is designed to be a stand-alone solution that can be plugged into a network and operated with minimal configuration and maintenance.

Question 7

What is IPSec?

Hints: What are the security protocols? What are the modes?

Answer 7

IPSec uses ESP (Encapsulating Security Payload) and AH (Authentication Header) as security protocols. It can operate in tunnel mode (entire packet is encrypted) or transport mode (only the payload is encrypted). IPSec sets a secure channel using strong encryption and authentication between two network devices, often providing implementation in securing VPN communications.

Question 8

What are the different WAP’s?

Answer 8

Controller-based, thin, and fat (a.k.a. stand-alone).

Question 9

What is a controller-based WAP?

Answer 9

A wireless access point that allows the management of all WAPs in the network from a centralized location, allowing consistent configuration settings for updates and policies.

Question 10

What is a fat WAP?

Answer 10

Fat wireless access points (stand-alone) can be remotely configured however they must be manually configured. They also don’t allow management of several WAP’s from a single location.

Question 11

What is a thin WAP?

Answer 11

Thin wireless access points allow configuration from a switch or router

Question 12

What is a PIV?

Answer 12

Personal Identity Verification cards are certificate-based smart cards that have a picture, integrated chip, two bar codes, and a magnetic strip. These are issues to non-military federal employees and contractors.

Question 13

What is a CAC?

Answer 13

Common Access Cards are certificated-based smart cards that have a picture, integrated chip, two bar codes, and a magnetic strip. These are issued by the DoD (Department of Defense) to military personnel and contractors.

Question 14

What are the different types of antennas?

Answer 14

Omni, Yagi, Sector, and Dipole.

Question 15

What is an Omni antenna?

Answer 15

Multi-directional antenna that radiates radio waves in all directions uniformly

Question 16

What is a Yagi antenna?

Answer 16

A directional antenna with a high gain and a narrow radiation pattern

Question 17

What is a Sector antenna?

Answer 17

A directional antenna with a circle measured in degrees of arc radiation pattern

Question 18

What is a Dipole antenna?

Answer 18

The most widely used antenna with a radiation pattern shaped like a doughnut.

Question 19

What is a CRL in a PKI, in regards to a CA?

Answer 19

A certificate revocation list (CRL) contains a list of serial numbers for digital certificates that have not expired, but that a certification authority (CA) has specified to be invalid.

Question 20

What is a KDC and what is it used for?

Answer 20

A Key Distribution Center (KDC) is used in Kerberos network authentication to distribute resource access keys.

Question 21

What is a dual-homed firewall?

Answer 21

A firewall with TWO network interfaces for network segregation. One with connection to a public network (the internet) and the other connecting to the private network.

Question 22

What is a screened subnet?

Answer 22

Another term for a DMZ (demilitarized zone) where two firewalls are used: one firewall is between the public network and the DMZ and another is between the DMZ and the private network

Question 23

What is a proxy server?

Answer 23

A proxy server acts as an internet gateway, firewall, and internet caching server for a private network.

Question 24

What is an ACL?

Answer 24

Access Control Lists (ACLs) limit the users that are allowed connections

Question 25

What are static code analyzers?

Answer 25

Static code analyzers look for memory allocation commands and ensure they have corresponding deallocation commands.

Question 26

What Amazon service offers block storage volumes?

Answer 26

Amazon EBS (Elastic Block Storage)

Question 27

What type of document is used to agree upon vendor obligations?

Answer 27

SLA (Service Level Agreements)

Question 28

What is IaaS?

Answer 28

Infrastructure as a Service is where customers purchase basic computing resources from a vendor and build their own IT solutions. Can provide compute capacity, data storage, etc.

Question 29

What is SaaS?

Answer 29

Software as a Service is where a public cloud provider delivers an entire application to customers. Very little, if any, configuration is needed on the customers end and is commonly accessed through a standard web browsers or an API.

Question 30

What is PaaS?

Answer 30

Platform as a Service is where vendors provide a platform to run their own application code without worrying about server configuration.

Question 31

What is XaaS?

Answer 31

XaaS is Anything as a Service where the X can stand for whatever type of service is being delivered.

Question 32

What are common examples of SaaS?

Answer 32

Office 365, Dropbox, Google Apps, etc.

Question 33

What are other names for PaaS?

Answer 33

Platform as a Service is also refereed to as serverless computing and FaaS, or Function as a Service.

Question 34

What is data sovereignty?

Answer 34

Data is subject to legal restrictions of any jurisdiction where it is collected, stored, or processed, regardless of where the data came from.

Question 35

What is data sovereignty?

Answer 35

Data is subject to legal restrictions of any jurisdiction where it is collected, stored, or processed, regardless of where the data came from.

Question 36

In regards to cloud security controls, what are resource policies?

Answer 36

Resource policies place limits on the actions of a user that has direct access to a cloud environment.

Question 37

What is VPC peering?

Answer 37

Virtual Private Cloud peering allows the interconnections between different cloud networks

Question 38

What is CASB?

Answer 38

Cloud Access Security Brokers provide managed IAM (Identity and Access Management) services and policy enforcement across cloud services

Question 39

What are transit gateways?

Answer 39

Transit gateways are used to connect VPCs (Virtual Private Clouds) and on-premises computing environments

Question 40

In regards to cloud security controls, what are security groups?

Answer 40

Since CSPs maintain all firewalls and don’t allow customers to modify them, Security groups are used to offer firewall functionality to IaaS customers.

Question 41

In regards to cloud security controls, what is secret management?

Answer 41

Secret management tools store encryption keys and other sensitive credentials that allows applications to access them, however they’re not available to the CSP or others in the organization.

Question 42

What are the OSI model layers from bottom to top?

Answer 42

Physical, Data Link, Network, Transport, Session, Presentation, Application

Question 43

Explain each OSI model layer?

Answer 43

Physical - Wires, radios, and optics
Data Link - Data transfers between two nodes
Network - Internet Protocol (IP)
Transport - TCP and UDP
Session - Exchanges between systems
Presentation - Data translation and encryption
Application - User programs

Question 44

What is ICMP?

Answer 44

Internet Control Message Protocol is a protocol that performs a bunch of administrative functions such as ping, traceroute, destination unreachable, redirects, time exceeded, addresses mask requests and replies.

Question 45

What are other names for anomaly detection?

Answer 45

Behavior-based detection and heuristic detection

Question 46

What is a In-Band (Inline) IPS deployment?

• What can this accomplish?
• What are the issues with this?

Answer 46

In a in-band or inline IPS, the IPS device sits directly on the network and captures all the data coming through. This allows the IPS to actively block suspicious traffic from entering, however since the IPS device is a single point of failure, any issue can disrupt all network communications

Question 47

What is a Out-of-Band (passive) IPS deployment?

• What can this accomplish?
• What are the issues with this?

Answer 47

An out-of-band or passive IPS is connected to a SPAN (Switch Port Analyzer) port and sits outside the flow of network traffic. This allows all the traffic to be scanned by the IPS, but it cannot disrupt the flow of the traffic. This approach can’t stop the initial attack from entering, but it can react by preventing future attacks from happening.

Question 48

Whats the difference between the following analyzers?
-Protocol Analyzer
-Network Analyzer
-

Question 49

Explain the restriction types:

• Rule-based
• Role-based
• Time-based
• Location-based

Answer 49

Rule-based: Rules are explicitly expressed for the types of network activity to allow or deny those actions. (AKA firewall rules)
Role-based: Restricts access based on the users identity and role within an organization
Time-based: Grants or denies access to information only during specified hours
Location-based: Grants or denies access to information based on the users location

Question 50

What is NAC?

Cont 1: What protocol does NAC use?

Answer 50

NAC (Network Access Control) technology intercepts wired/wireless network traffic and verifies that the system and user are authorized to connect to the network before allowing them to communicate with other systems.
Cont 1: NAC uses the authentication protocol 802.1x to perform the access control tasks.

Question 51

In regards to firewalls, what are shadowed rules?

Answer 51

Rules that will never be executed because of its placement in the rule base

Question 52

In regards to firewalls, what are promiscuous rules?

Cont: What are some key causes?

Answer 52

Rules that allow too much access, violates principle of least privilege.
Cont: Laziness, lack of understanding, or typos.

Question 53

In regards to firewalls, what are orphaned rules?

Answer 53

Rules that allow access to decommissioned systems and services

Question 54

What is VLAN Pruning?

Answer 54

Limiting the number of exposed unnecessary VLANs by limiting the number of switches where they’re trunked

Question 55

What is VLAN hopping?

(Cont 1: How can you prevent VLAN Hopping?)

(Cont 2: What is VLAN Trunk Negotiation?)

Answer 55

A malicious user switches from an authorized VLAN to an unauthorized VLAN by pretending to be a switch and asking to trunk VLANs to their device.

Cont 1: By using VLAN Trunk Negotiation.
Cont 2: VLAN Trunk Negotiation is denying the use of automatic VLAN trunking, preventing a user from VLAN Hopping

Question 56

What is flood gate technology?

Answer 56

A technology used to help network devices limit the effectiveness of SYN and MAC flooding by limiting the number of open connections each source system can have

Question 57

What is flood guard technology?

Answer 57

A technology used to help network devices limit the effectiveness of SYN and MAC flooding by limiting the number of open connections each source system can have

Question 58

What is the STP protocol?

Answer 58

The Spanning Tree Protocol (STP) prevents routing loops/broadcast storms by implementing loop prevention. STP allows multiple physical connections, but remove logical connections that allow loops.

Question 59

What is BDPU Guard?

Answer 59

A Bridge Protocol Data Unit Guard blocks malicious STP update attacks

Question 60

What is SNMP?

Cont: What is the current SNMP version?

Answer 60

Simple Network Management Protocol (SNMP) automates routine network monitoring and management tasks.
Cont: SNMPv3