Chater 4 Mod3: Understanding Network Security Infrastructure Flashcards
1
Q
What are the two primary options for organizations in terms of managing data centers?
A
Organizations can either outsource the data center or own it. If owned, the data center is likely to be built on premises, meaning it is physically located within the organization’s facilities.
2
Q
What are some critical components and considerations for on-premises data centers?
A
On-premises data centers require facilities such as buildings, power supply, Heating, Ventilation and Air Conditioning (HVAC) systems, and fire suppression. These components are essential for the proper functioning and security of the data center.
3
Q
Why is the protection of the physical layer of the network important for data center security?
A
Protecting the physical layer helps minimize intentional or unintentional damage to the data center. It involves securing access to areas containing critical infrastructure, such as phone and network connections, ISP or telecommunications equipment, servers, and wiring or switch components.
4
Q
What are the environmental considerations for maintaining data center equipment?
A
Environmental considerations include maintaining proper cooling and airflow, with temperature standards ranging from 64° to 81°F (18° to 27°C). Contaminant control, monitoring for leaks, and planning for contingencies in case of system failures are crucial aspects of environmental management.
5
Q
Why is power supply critical for data centers, and what measures are taken to ensure constant and consistent power?
A
Data centers consume a significant amount of electrical power, requiring constant and consistent delivery. Backup generators and battery backups are used to ensure power continuity, with proper sizing and testing to support the critical load and infrastructure during power disruptions.
6
Q
How is fire suppression addressed in server rooms, and why is water usage a concern?
A
Fire detection/suppression in server rooms is based on room size, human occupancy, egress routes, and equipment risk. Water usage is a concern because it can cause harm to servers and electronic components. Gas-based fire suppression systems, though more electronics-friendly, may pose toxicity risks to humans.
7
Q
What is the fundamental concept behind redundancy in system design, particularly in the context of data centers?
A
To have duplicate components to ensure system reliability in case of failure.
8
Q
How does redundancy apply to power supplies in a data center environment?
A
Devices should ideally have two power supplies connected to diverse power sources for backup.
9
Q
In the realm of data centers, when might it be necessary to establish multiple separate utility service entrances?
A
It is necessary for redundant communication channels and mechanisms.
10
Q
What additional steps are taken for power source redundancy in a high-availability environment, especially concerning generators?
A
Generators are made redundant and fed by different fuel types.
11
Q
For devices in a data center to achieve full redundancy, what is the recommended power supply configuration?
A
Two power supplies should be connected to diverse power sources.
12
Q
What does a redundant power source provide in addition to redundant backups of information in a data center?
A
An uninterrupted power supply (UPS).
13
Q
What components might be involved in ensuring a constant power supply in a data center, besides redundant backups and generators?
A
Transfer switches or transformers.
14
Q
Why is a backup generator considered essential in data centers?
A
To provide power in case of interruptions due to weather, blackouts, or other factors.
15
Q
In a high-reliability setup, what is the configuration for backup generators, and why?
A
Two generators connected by two different transfer switches to ensure redundancy.
16
Q
What are the different fuel sources that can power backup generators in a data center?
A
Diesel, gasoline, propane, or even solar panels.
17
Q
How might critical organizations like hospitals or government agencies implement redundancy in their power sources?
A
They might contract with more than one power company and be on two different grids.
18
Q
Explain the purpose of agreements like Memoranda of Understanding (MOU) or Memoranda of Agreement (MOA) in the context of business continuity and disaster recovery.
A
MOUs or MOAs are agreements between organizations to share resources during emergencies, ensuring the maintenance of critical functions.
19
Q
Provide an example of how competitors, like hospitals, might collaborate through agreements such as JOA or MOU for business continuity.
A
Hospitals, may create agreements to share resources during emergencies, allowing them to operate in each other’s facilities to maintain critical functions.
20
Q
What factors might lead organizations to enter into joint operating agreements (JOA) or similar agreements with their competitors?
A
Organizations might collaborate with competitors to leverage facilities and resources, meeting industry needs for business continuity.
21
Q
Differentiate between Memorandum of Understanding (MOU) or Memorandum of Agreement (MOA) and Service Level Agreement (SLA) in terms of their focus and specificity.
A
MOUs or MOAs are more related to what can be done with a system or information, while SLAs specify intricate details of services.
22
Q
Describe the level of detail covered in a Service Level Agreement (SLA) by providing an example of a specific requirement mentioned in an SLA.
A
SLAs specify detailed aspects of services, such as requiring two full-time technicians available from Monday through Friday from eight to five for IT services.
23
Q
Explain the caution and considerations needed when outsourcing IT services with cloud-based providers, particularly concerning SLAs.
A
Caution is required to understand the specifics of SLAs, ensuring clarity on factors like accessibility to information and relying on legal teams for thorough review.
24
Q
If a Service Level Agreement (SLA) promises 100 percent accessibility to information, what cautionary steps should be taken to clarify the terms?
A
It’s important to clarify whether the 100 percent accessibility is direct to the client or through the provider’s website or portal during specific times, requiring careful legal review.
25
What role does the legal team play in the process of entering into agreements, especially those involving SLAs?
The legal team is crucial in supervising and reviewing conditions before signing agreements, ensuring clarity and protection of the parties involved.
26
What does MOU stand for in the context of agreements between organizations for business continuity and disaster recovery?
Memorandum of Understanding.
27
In the realm of agreements for sharing resources during emergencies, what does MOA represent?
Memorandum of Agreement.
28
What does BC stand for when organizations seek to enhance their capabilities to minimize downtime?
Business Continuity.
29
What is the abbreviation for Disaster Recovery in the context of organizations creating agreements for maintaining critical functions during emergencies?
DR.
30
In the context of agreements like JOA between competitors for collaborative business continuity, what does JOA stand for?
Joint Operating Agreement.
31
Differentiate between MOU/MOA and SLA. What does SLA stand for, and how does it differ in focus and specificity?
SLA stands for Service Level Agreement, and it specifies more intricate details of services compared to MOU/MOA.
32
What is the abbreviation SLA used to represent in the context of agreements related to outsourcing IT services, especially with cloud-based providers?
Service Level Agreement.
33
What is cloud computing typically associated with?
Internet-based set of computing resources.
34
How is cloud computing provisioned, similar to the electrical grid?
In a geographic location and sourced using an electrical means not obvious to the consumer.
35
How is cloud computing similar to the electrical or power grid in terms of accessibility?
It is available via a common standard interface when needed, and users pay only for what they use.
36
According to NIST, what is the definition of cloud computing?
A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources
37
What does the NIST definition of cloud computing emphasize regarding network access and resources?
ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (such as networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
38
What does cloud computing refer to in terms of resource access?
Cloud computing refers to on-demand access to computing resources available from almost anywhere.
39
How are cloud-based resources accessed in cloud computing?
Cloud-based resources are accessed through on-demand access from almost anywhere.
40
What are some benefits of cloud computing for organizations?
Some benefits include metered usage, reduced cost of ownership, reduced energy and cooling costs, and scalability.
41
How is usage typically billed in cloud computing?
Usage is typically metered and priced according to units (or instances) consumed.
42
Why is there a reduced cost of ownership in cloud computing?
here is no need to buy assets for everyday use, and there's a reduction in maintenance and support costs.
43
What does the "green IT" effect in cloud computing refer to?
It refers to reduced energy and cooling costs, along with the optimum use of IT resources and systems.
44
How does cloud computing enable enterprises to scale up services quickly?
It allows enterprises to scale up new software or data-based services quickly without having to install massive hardware locally.
45
What are cloud-based assets in cloud computing?
Cloud-based assets include any resources that an organization accesses using cloud computing.
46
What is resource pooling in cloud computing?
It is the ability to share resources with other colleagues or similar industries, providing data for artificial intelligence or analytics.
47
What are some ways to contract with a cloud service provider?
Some ways include setting up billing based on data usage, similar to a mobile phone, and utilizing resource pooling.
48
What are the types of cloud computing service models mentioned in the text?
The types of cloud computing service models mentioned are Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).
49
What is Software as a Service (SaaS) in cloud computing?
SaaS provides access to software applications hosted by a vendor or cloud service provider, accessible to users over network resources.
50
What are the benefits of Software as a Service (SaaS) for organizations?
Benefits include ease of use, limited administration, automatic updates, patch management, and standardization.
51
What is Platform as a Service (PaaS) in cloud computing?
PaaS provides an environment for customers to build and operate their own software, offering a toolkit for developing, deploying, and administering applications.
52
What is Infrastructure as a Service (IaaS) in cloud computing?
IaaS provides network access to traditional computing resources such as processing power and storage, allowing consumers to install operating systems and applications.
53
What are the benefits of Infrastructure as a Service (IaaS) for organizations?
Benefits include the ability to scale up and down infrastructure services based on actual usage and retaining system control at the operating system level.
54
In Software as a Service (SaaS), who is responsible for hosting software applications?
The vendor or cloud service provider is responsible for hosting software applications in SaaS.
55
What does Platform as a Service (PaaS) provide to developers?
PaaS provides a toolkit for developing, deploying, and administering application software, along with tools supporting large-scale applications.
56
What is the consumer's responsibility in Infrastructure as a Service (IaaS)?
Consumers are responsible for installing operating systems, applications, and performing maintenance on them in IaaS.
57
What does "hardware as a service" refer to in Infrastructure as a Service (IaaS)?
"Hardware as a service" is another term used by some customers and providers to describe Infrastructure as a Service (IaaS).
58
What are the four cloud deployment models mentioned in the text?
The four cloud deployment models are public, private, hybrid, and community.
59
What characterizes a public cloud deployment model?
A public cloud is open to the public, easily accessible, and shared by many users as part of a resource pool. It is hosted by an external cloud service provider (CSP).
60
How is access to a public cloud typically obtained?
Access to a public cloud is typically obtained by applying for and paying for the cloud service.
61
What is the key difference between public and private clouds?
Public clouds are shared resources open to the public, while private clouds are generally developed and deployed for a single organization, keeping resources private.
62
What are the characteristics of a private cloud deployment model?
Private clouds are developed and deployed for a single organization, providing private access to computing, storage, networking, and software assets.
63
In a private cloud, who is responsible for maintenance?
In a private cloud, the organization is responsible for all maintenance, although they may rent resources from a third party.
64
What is a hybrid cloud deployment model?
A hybrid cloud is created by combining two forms of cloud computing deployment models, typically a public and private cloud.
65
What are the benefits of hybrid cloud deployments?
Benefits include retaining ownership and oversight, reusing previous technology investments, maintaining control over critical business components, and cost-effective fulfillment of noncritical business functions.
66
What characterizes community clouds?
Community clouds are generally developed for a particular community, either public or private, where people with similar interests share IT capabilities and services.
67
Can a community cloud be either public or private?
Yes, a community cloud can be either public or private, depending on its focus and the interests of the community it serves.
68
What does MSP stand for in the context of information technology?
MSP stands for Managed Service Provider.
69
What is the primary role of a managed service provider (MSP)?
The primary role of an MSP is to manage information technology assets for another company.
70
Which types of businesses commonly outsource their information technology functions to MSPs?
Small- and medium-sized businesses commonly outsource part or all of their information technology functions to MSPs.
71
What are some reasons organizations use MSPs?
Organizations use MSPs to manage day-to-day operations, provide expertise in areas they lack, offer network and security monitoring, and deliver patching services.
72
What is a managed detection and response (MDR) service, and how does it relate to MSPs?
An MDR service is an example of a cloud-based service provided by MSPs. It involves monitoring firewall and other security tools to provide expertise in triaging events and responding to incidents.
73
Name some common implementations of MSP services.
Common MSP implementations include augmenting in-house staff for projects, utilizing expertise for product or service implementation, providing payroll services, managing Help Desk service, monitoring and responding to security incidents, and managing all in-house IT infrastructure.
74
What does SLA stand for in the context of cloud computing?
SLA stands for Service-Level Agreement.
75
What is the purpose of a service-level agreement (SLA) in cloud computing?
The purpose of an SLA is to document specific parameters, minimum service levels, and remedies for any failure to meet specified requirements in cloud services.
76
What are some of the crucial business elements covered in an SLA?
An SLA covers minimum levels of service, availability, security, controls, processes, communications, support, and other crucial business elements agreed upon by both the cloud service provider and the customer.
77
What does an SLA affirm regarding data ownership?
An SLA should affirm data ownership and specify data return and destruction details.
78
Name some important points to consider in an SLA.
Some important points to consider in an SLA include
cloud system infrastructure details and security standards,
customer right to audit legal and regulatory compliance by the CSP,
rights and costs associated with continuing and discontinuing service use,
service availability,
service performance,
data security and privacy,
disaster recovery processes,
data location,
data access,
data portability,
problem identification and resolution expectations,
change management processes,
dispute mediation processes,
and exit strategy.
79
What is the objective of network design?
The objective of network design is to satisfy data communication requirements and result in efficient overall performance.
80
What is network segmentation, and what does complete or physical network segmentation involve?
Network segmentation involves controlling traffic among networked devices. Complete or physical network segmentation occurs when a network is isolated from all outside communications, allowing transactions only between devices within the segmented network.
81
What is a DMZ in the context of network design, and what is its typical purpose?
A DMZ is a network area designed to be accessed by outside visitors but is isolated from the private network of the organization. It often hosts public web, email, file, and other resource servers.
82
How are VLANs created, and what is their purpose in network design?
VLANs (Virtual Local Area Networks) are created by switches to logically segment a network without altering its physical topology.
83
What is a virtual private network (VPN), and what does it provide?
A virtual private network (VPN) is a communication tunnel that provides point-to-point transmission of both authentication and data traffic over an untrusted network.
84
What does the defense-in-depth approach involve in network design?
Defense in depth involves using multiple types of access controls in literal or theoretical layers to help an organization avoid a monolithic security stance.
85
How would you define Network Access Control (NAC) in the context of network design?
Network Access Control (NAC) is a concept of controlling access to an environment through strict adherence to and implementation of security policy.
86
How does the concept of defense in depth apply to the security posture of an organization, and what analogy is often used to explain it?
Defense in depth uses a layered approach to designing the security posture of an organization. The analogy often used is that of a castle holding the crown jewels, where layers of security, such as soldiers, walls, and a moat, protect a vaulted chamber at the central location.
87
Provide examples of controls within the "Data" layer of defense in depth.
Controls within the "Data" layer include technologies such as encryption, data leak prevention, identity and access management, and data controls.
88
What types of controls are part of the "Application" layer in defense in depth, and what do they protect?
Controls in the "Application" layer protect the application itself. Technologies involved include data leak prevention, application firewalls, and database monitors.
89
Name some controls at the "Host" layer in defense in depth, and where are these controls placed?
Controls at the "Host" layer, placed at the endpoint level, include antivirus, endpoint firewall, configuration, and patch management.
90
What is the focus of controls within the "Internal network" layer of defense in depth, and what technologies are relevant?
The focus is on protecting uncontrolled data flow and user access across the organizational network. Relevant technologies include intrusion detection systems, intrusion prevention systems, internal firewalls, and network access controls.
91
Which controls are part of the "Perimeter" layer in defense in depth, and what is their purpose?
"Perimeter" layer controls protect against unauthorized access to the network. Technologies involved include gateway firewalls, honeypots, malware analysis, and secure demilitarized zones (DMZs).
92
What physical controls are considered in the defense in depth strategy, and what do they provide?
Physical controls provide a physical barrier and include elements such as locks, walls, or access control.
93
How do policies, procedures, and awareness contribute to defense in depth, and what type of controls do they represent?
Policies, procedures, and awareness contribute administrative controls to defense in depth, reducing insider threats and identifying risks as they appear.
94
What characterizes a zero trust network, and how are these networks often structured?
Zero trust networks are often microsegmented networks with firewalls at nearly every connecting point. They encapsulate information assets, services, and their security properties.
95
Why is the concept of zero trust crucial in modern security, and how does it address traditional trust-but-verify environments?
Zero trust is crucial as it recognizes that once inside a trust-but-verify environment, a user has potentially unlimited capabilities. It addresses this by adding more firewalls or security boundary control devices throughout the network to detect and prevent malicious activities.
96
In the analogy of a rock music concert, how does the concept of zero trust translate into additional security measures?
In a zero-trust environment, additional checkpoints are added beyond the traditional perimeter controls. Identity validation is required at multiple levels, representing added layers of security before accessing specific areas, analogous to requiring valid credentials at different levels in a concert venue.
97
What is the main focus of zero trust in terms of security architecture, and how does it differ from traditional approaches?
Zero trust focuses on the assets or data rather than the perimeter. It adds defenses at the user, asset, and data levels, moving away from relying solely on perimeter defense. Every process or action a user attempts to take must be authenticated and authorized in a zero-trust environment.
98
How does microsegmentation contribute to the implementation of zero trust, and what does it enforce in terms of user authentication?
Microsegmentation adds internal perimeters in zero trust, enforcing frequent re-authentication of a user ID. This means that even within the network, users need to authenticate themselves regularly.
99
What is the core principle behind zero trust, and how does it challenge traditional access control systems?
The core principle behind zero trust is to authenticate and authorize every process or action a user attempts to take. It challenges traditional access control systems by insisting on frequent authentication and authorization, reducing the window of trust to be vanishingly small.
100
How does zero trust differ from traditional security models in terms of where it places its focus?
Zero trust differs by placing its focus on the assets or data directly rather than relying solely on perimeter defense. It builds more effective gates to protect assets directly instead of building additional or higher walls around the perimeter.
101
Why is controlling access to an organization's network important, and what are the challenges associated with it?
Controlling access to an organization's network is crucial to ensure security, and it involves knowing and managing access both from insiders and outsiders. Challenges include the increasing prevalence of remote connections, bring your own device (BYOD), and Internet of Things (IoT) devices.
102
How has the concept of network access evolved over time, especially with the emergence of BYOD and IoT?
Network access, once limited to internal devices, has evolved to include remote connections, BYOD, and IoT devices. BYOD allows employees to use their personal devices for work, and IoT introduces a wide range of devices like HVAC systems, security systems, sensors, cameras, vending machines, etc.
103
What role does Network Access Control (NAC) play in securing an organization's network, and what capabilities should a NAC solution provide?
NAC is crucial for securing a network by enforcing access control policies. It provides visibility into network access, supports incident response, and ensures that devices comply with organizational policies before joining the network. A NAC solution should enforce access and security policies and provide network visibility.
104
How does a NAC device contribute to incident response, and what actions can it take for noncompliant devices?
A NAC device contributes to incident response by providing network visibility. For noncompliant devices, it can isolate them within a quarantined network and initiate actions to remediate noncompliance, such as turning on endpoint protection.
105
What is the role of access control policies in the context of Network Access Control (NAC)?
Access control policies are foundational for NAC. NAC devices enforce an organization's access control policies and associated security policies. These policies define the rules for network access and are crucial for ensuring a secure and compliant network environment.
106
Identify some possible use cases for deploying NAC, considering different types of devices and users.
Possible use cases for NAC deployment include medical devices, IoT devices, BYOD/mobile devices (laptops, tablets, smartphones), and guest users and contractors. NAC ensures that all devices, regardless of ownership, comply with organizational policies before connecting to the network.
107
Why is it important for all mobile devices to go through an onboarding process and be identified when connecting to the network?
It is important for all mobile devices to go through an onboarding process and be identified to ensure that they comply with the organization's policies. This process is critical for security and helps verify that devices meet the requirements before accessing the network.
108
What is network segmentation, and why is it considered an effective approach for achieving defense in depth?
Network segmentation involves controlling traffic among networked devices and is effective for achieving defense in depth. It separates the network into isolated segments, adding layers of security to deter attackers and enhance overall security posture.
109
How does the demilitarized zone (DMZ) contribute to security architecture, and what is its role in network segmentation?
The demilitarized zone (DMZ) is a common practice in security architecture, providing a physical separation between host systems accessible through the firewall and the internal network. It uses secured switches or an additional firewall to control traffic between the web server and the internal network, enhancing security through segmentation.
110
What is the purpose of using a DMZ in the context of network segmentation, and how does it help control access to application servers?
The DMZ serves the purpose of physically separating host systems accessible through the firewall from the internal network. It helps control access to application servers by limiting connectivity to those networks or systems with a legitimate need to connect, providing an additional layer of security through segmentation.
111
Why are application DMZs, or semi-trusted networks, frequently used in contemporary security practices?
Application DMZs, or semi-trusted networks, are frequently used to limit access to application servers to networks or systems with a legitimate need to connect. They enhance security by controlling and restricting connectivity, aligning with modern security practices that prioritize the principle of least privilege and segmentation.
112
In a network architecture, where might a web front-end server be located, and what role does it typically play?
A web front-end server might be located in the DMZ (demilitarized zone), and its role is to handle external user requests, providing access to web applications while maintaining a level of isolation from the internal network.
113
How does data flow between a web front-end server in the DMZ and a database server located on the other side of the firewall?
Data flows between a web front-end server in the DMZ and a database server on the other side of the firewall. The front-end server retrieves data from the database server to fulfill user requests, and this communication is typically controlled and monitored by the firewall.
114
What is a Web Application Firewall (WAF), and how does it differ from a traditional DMZ network?
A Web Application Firewall (WAF) is a security solution that monitors and filters traffic to and from a web application. Unlike a traditional DMZ network, a WAF may replace or complement it. The WAF has internal and external connections like a traditional firewall but focuses on monitoring all traffic, including encrypted traffic, for malicious behavior before passing commands to a web server.
115
How does a Web Application Firewall (WAF) enhance security in a network, especially concerning web applications?
A WAF enhances security by monitoring all traffic, both encrypted and non-encrypted, for malicious behavior. It adds an extra layer of protection before passing commands to a web server. This helps prevent attacks targeting web applications, offering improved security against various threats and vulnerabilities.
116
What is the nature of the toolsets used by current adversaries, and why do they pose a challenge to static security controls?
The toolsets of current adversaries are polymorphic, meaning they have the ability to change their characteristics, allowing threats to bypass static security controls. This poses a challenge as modern cyberattacks leverage traditional security models to move easily between systems within a data center.
117
How does microsegmentation contribute to protecting against modern cyber threats, and what is a fundamental design requirement for implementing microsegmentation?
Microsegmentation aids in protecting against modern cyber threats by controlling and securing traffic within a data center. A fundamental design requirement for microsegmentation is understanding the protection requirements for traffic within the data center and traffic to and from the internet.
118
What benefits can organizations gain by avoiding infrastructure-centric design paradigms in the context of data center security?
Organizations that avoid infrastructure-centric design paradigms are more likely to become efficient at service delivery in the data center. Additionally, they become adept at detecting and preventing advanced persistent threats, enhancing overall cybersecurity.
119
What is the purpose of Virtual Local Area Networks (VLANs) in a network, and how do they function to segregate or consolidate traffic across multiple switch ports?
VLANs allow network administrators to create software-based LAN segments using switches, segregating or consolidating traffic across multiple switch ports. Devices within the same VLAN communicate through switches as if they were on the same Layer 2 network.
120
How do VLANs contribute to reducing network congestion and improving administration in a network environment?
VLANs limit broadcast traffic to the specific VLAN, reducing congestion and making administration more efficient. They simplify environment administration, allowing reconfiguration when individuals change their physical location or need access to different services.
121
What are some criteria based on which VLANs can be configured, and how do these configurations enhance network flexibility and management?
VLANs can be configured based on switch port, IP subnet, MAC address, and protocols. This enhances network flexibility and management, allowing for dynamic reconfiguration based on various criteria like physical location changes or service access requirements.
122
Despite the advantages, what limitation should be considered with VLANs in terms of network security?
VLANs do not guarantee network security. Although communication within a VLAN is restricted to member devices, there are attacks, such as VLAN hopping, that can allow a malicious user to see traffic from other VLANs. VLANs are one tool among others to improve overall network security.
123
What is microsegmentation, and how does it allow for extremely granular restrictions within the IT environment?
Microsegmentation enables granular restrictions within the IT environment, allowing rules to be applied to individual machines or users. These rules can be highly detailed, specifying criteria such as IP addresses, time of day, credentials, and permitted services for connections.
124
How are the rules in microsegmentation different from physical rules, and what advantage does this provide in terms of administration?
Microsegmentation rules are logical, not physical, and do not require additional hardware or manual interaction with devices. Administrators can apply rules to various machines without physically touching each device or its connecting cables.
125
What is the ultimate end state of the defense-in-depth philosophy, and how does microsegmentation contribute to achieving this state?
The ultimate end state of the defense-in-depth philosophy is that no single point of access within the IT environment can lead to broader compromise. Microsegmentation contributes to this by providing extremely granular restrictions, preventing lateral movement in case of a breach.
126
In shared environments like the cloud, why is microsegmentation crucial, and what risk does it help mitigate?
Microsegmentation is crucial in shared environments like the cloud, where more than one customer's data might reside on the same devices. It helps mitigate the risk of exposure, especially when third-party personnel (cloud provider administrators/technicians) might have physical access to the devices.
127
How does microsegmentation contribute to enforcing the concept of least privilege, and what example is provided in the text to illustrate this concept?
Microsegmentation allows organizations to limit communication between business functions/units/offices/departments, enforcing the concept of least privilege. For example, HR data, which includes sensitive information like home addresses and medical records, can be microsegmented to reduce the risk of exposure to other business entities.
128
What technologies enable microsegmentation in modern environments, and what are the tools often used for applying microsegmentation in the cloud?
Microsegmentation is enabled by virtualization and software-defined networking (SDN) technologies. In the cloud, tools for applying microsegmentation are often called "virtual private networks (VPNs)" or "security groups."
129
How can microsegmentation be applied in a home environment, and what benefit does it provide in terms of network security?
In a home environment, microsegmentation can be used to separate devices like computers from smart TVs, air conditioning, and smart appliances. This helps prevent vulnerabilities and enhances network security by isolating different types of devices.
130
What characteristics of embedded systems make them efficient but also pose a security risk?
Embedded systems' efficiency is often attributed to a limited instruction set and hardcoded instructions stored in a memory chip. However, this simplicity poses a security risk, especially when these systems control physical devices and are connected to corporate networks using the TCP/IP protocol.
131
Why are embedded systems often connected to corporate networks, and what protocol do they commonly use?
Embedded systems are connected to corporate networks for ease of operation and are commonly using the TCP/IP protocol, which is the same protocol used all over the internet.
132
What is the primary reason for segmenting embedded systems on a network, and how does proper segmentation mitigate the risk?
The primary reason for segmenting embedded systems on a network is to prevent a compromised corporate network from accessing the physical controls on these systems. Proper segmentation ensures that even if the corporate network is compromised, it cannot control or manipulate the embedded systems.
133
Why is the lack of system updates a concern for embedded systems and IoT devices, and what challenges are associated with updating these systems?
The lack of system updates for embedded systems and IoT devices is a concern because it leaves vulnerabilities unpatched. Updating such systems, especially those with programming directly on chips, may require physical replacement of the chip, which can be costly and impractical for widespread deployments.
134
How does the convenience of internet-connected devices, such as cameras, light bulbs, and speakers, introduce security risks?
Internet-connected devices bring convenience to our lives but also introduce security risks. Many of these devices may not receive timely updates for discovered vulnerabilities, making them potential entry points for cybercriminals to access corporate networks when connected.
135
What is the significance of properly segmenting or separating IoT devices and compromised embedded systems on a corporate network?
Proper segmentation ensures that a compromise on an IoT device or a compromised embedded system cannot access corporate data and systems. This separation helps contain security threats and prevents unauthorized access to critical corporate resources.
136
What is Network Access Control (NAC), and how does it prevent unwanted devices from connecting to a network?
At its simplest form, Network Access Control (NAC) is a method to prevent unwanted devices from connecting to a network. Some NAC systems enforce device compliance with policies before allowing connection.
137
Provide a high-level example of how NAC works using hotel internet access.
In a hotel internet access scenario, users connecting to the hotel network must acknowledge an acceptable use policy before gaining internet access. After acknowledgment, the device is connected, and some hotels may add an additional layer, such as entering a special password or room number, to prevent abuse and track network usage.
138
Explain a more complex scenario involving NAC in a business environment that separates employee BYOD devices from corporate-owned devices.
In a business scenario, NAC can separate employee Bring Your Own Device (BYOD) devices from corporate-owned devices on the network. Pre-approved BYOD devices are validated by the NAC system using hardware addresses or installed software. The system may check for up-to-date antivirus software and operating systems before allowing connection to the corporate network. Personal devices not allowed on the corporate network may be redirected to a guest network for internet access without internal resource access.
139
What is the primary purpose of VLANs in a switch, and how do they help manage network traffic?
VLANs (Virtual Local Area Networks) in a switch are virtual separations used mainly to limit broadcast traffic. They can be configured to communicate with other VLANs or segregate network segments. VLANs help manage network traffic by isolating specific types of communication or devices, improving network efficiency.
140
Provide two common uses of VLANs in corporate networks
Separating Voice Over IP (VOIP) telephones from the corporate network to manage voice communication traffic more effectively.
Segmenting the data center from other network traffic, facilitating controlled server-to-server communication while allowing specific traffic from workstations or the web.
141
How are VLANs used in Network Access Control (NAC) systems, as discussed earlier?
In Network Access Control (NAC) systems, VLANs are used to control whether devices connect to the corporate network or a guest network. The VLAN associated with the device connection on the wireless access controller determines the VLAN on which the device operates and the networks it is allowed to access.
142
In what scenario would VLANs be used to limit the amount of broadcast traffic in a large corporate network?
VLANs are commonly used to limit broadcast traffic in large corporate networks, especially those with more than 1,000 devices. They may be separated by department, location/building, or other criteria to control and reduce broadcast traffic.
143
What is important to remember about VLANs concerning their logical separation and access to other VLANs?
While VLANs are logically separated, they can be configured to allow or deny access to other VLANs. They provide flexibility in controlling communication between different VLANs in a network.
144
What is a Virtual Private Network (VPN), and how does it enable communication between two hosts?
A Virtual Private Network (VPN) is a point-to-point connection between two hosts that allows them to communicate. It is not necessarily an encrypted tunnel by default. Secure communications are provided by the VPN when security protocols are selected and configured correctly, creating a trusted path over an untrusted network, such as the internet.
145
How do remote users typically use VPNs, and what resources might they have access to through a VPN?
Remote users use VPNs to access their organization's network. Depending on the VPN's implementation, remote users may have access to most of the same resources as if they were physically at the office. VPNs provide a secure way for remote users to connect to their organization's network over the internet.
146
In what scenarios do organizations use gateway-to-gateway VPNs, and what is their purpose?
Organizations use gateway-to-gateway VPNs as an alternative to expensive dedicated point-to-point connections. These VPNs securely transmit information over the internet between sites or with business partners. They provide a cost-effective and secure means of communication between different locations or entities.
147
