interview fix Flashcards
Amazon Elastic Block Store
Amazon Elastic Block Store (EBS) is an easy to use, high performance block storage service designed for use with Amazon Elastic Compute Cloud (EC2) for both throughput and transaction intensive workloads at any scale. A broad range of workloads, such as relational and non-relational databases, enterprise applications, containerized applications, big data analytics engines, file systems, and media workflows are widely deployed on Amazon EBS.
Application-Layer Attacks
The application layer is the topmost layer of the OSI network model and the one closest to the user?s interaction with the system. Attacks that make use of the application layer focus primarily on direct Web traffic. Potential avenues include HTTP, HTTPS, DNS, or SMTP.
Containerization
Containerization is defined as a form of operating system virtualization, through which applications are run in isolated user spaces called containers, all using the same shared operating system (OS).
Data Availability vs. Durability
Availability and durability are two very different aspects of data accessibility. Availability refers to system uptime, i.e. the storage system is operational and can deliver data upon request. Historically, this has been achieved through hardware redundancy so that if any component fails, access to data will prevail. Durability, on the other hand, refers to long-term data protection, i.e. the stored data does not suffer from bit rot, degradation or other corruption. Rather than focusing on hardware redundancy, it is concerned with data redundancy so that data is never lost or compromised.
DIFFERENCE BETWEEN STORAGE TYPES
File storage: Economical and easily structured, data are saved in files and folders. They are usually found on hard drives, which means that they appear exactly the same for the user and on the hard drive.
Block storage: Data are stored in blocks of uniform size. Although more expensive, complex, and less scalable, block storage is ideal for data that needs to be accessed and modified frequently.
Object storage: Data is stored as objects with unique metadata and identifiers. Although, in general, this type of storage is less expensive, objects? storage is only ideal for data that does not require modification.
Encryption at rest vs in transit
At rest : This kind of data is typically in a stable state: it is not traveling within the system or network, and it is not being acted upon by any application or third-party. It?s something that has reached a destination, at least temporarily.
In transit : Data that is going through a system or network, this data can be encrypted using https for example
IDS
An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. With the cloud, the collection and aggregation of account and network activities is simplified, but it can be time consuming for security teams to continuously analyze event log data for potential threats. With GuardDuty, you now have an intelligent and cost-effective option for continuous threat detection in AWS. The service uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats. GuardDuty analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs. With a few clicks in the AWS Management Console, GuardDuty can be enabled with no software or hardware to deploy or maintain. By integrating with Amazon CloudWatch Events, GuardDuty alerts are actionable, easy to aggregate across multiple accounts, and straightforward to push into existing event management and workflow systems.
If you need to construct a 3-tier layer of storage, how can you divide where you store each file?
The answer is : you would use lifecycle management. Most accessed files are in S3, less S3 Standard infrequent access, rarely accessed files in Amazon s3 glacier extremly rare in S3 glacier deep archive. Non AWS answer: SSD for fast access, SSHD for less, HDD 7200RPM for rarely, HDD 5400RPM for extremely rareA traditional IDS typically relies on monitoring network traffic at specific network traffic control points, like firewalls and host network interfaces. This allows the IDS to use a set of preconfigured rules to examine incoming data packet information and identify patterns that closely align with network attack types. Traditional IDS have several challenges in the cloud:
Networks are virtualized. Data traffic control points are decentralized and traffic flow management is a shared responsibility with the cloud provider. This makes it difficult or impossible to monitor all network traffic for analysis.
Cloud applications are dynamic. Features like auto-scaling and load balancing continuously change how a network environment is configured as demand fluctuates.
Most traditional IDS require experienced technicians to maintain their effective operation and avoid the common issue of receiving an overwhelming number of false positive findings. As a compliance assessor, I have often seen IDS intentionally de-tuned to address the false positive finding reporting issue when expert, continuous support isn?t available.
GuardDuty analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail, Amazon Virtual Private Cloud (Amazon VPC) flow logs, and Amazon Route 53 DNS logs. This gives GuardDuty the ability to analyze event data, such as AWS API calls to AWS Identity and Access Management (IAM) login events, which is beyond the capabilities of traditional IDS solutions. Monitoring AWS API calls from CloudTrail also enables threat detection for AWS serverless services, which sets it apart from traditional IDS solutions. However, without inspection of packet contents, the question remained, ?Is GuardDuty truly effective in detecting network level attacks that more traditional IDS solutions were specifically designed to detect??
AWS asked Foregenix to conduct a test that would compare GuardDuty to market-leading IDS to help answer this question for us. AWS didn?t specify any specific attacks or architecture to be implemented within their test. It was left up to the independent tester to determine both the threat space covered by market-leading IDS and how to construct a test for determining the effectiveness of threat detection capabilities of GuardDuty and traditional IDS solutions which included open-source and commercial IDS.
Foregenix configured a lab environment to support tests that used extensive and complex attack playbooks. The lab environment simulated a real-world deployment composed of a web server, a bastion host, and an internal server used for centralized event logging. The environment was left running under normal operating conditions for more than 45 days. This allowed all tested solutions to build up a baseline of normal data traffic patterns prior to the anomaly detection testing exercises that followed this activity.
Foregenix determined that GuardDuty is at least as effective at detecting network level attacks as other market-leading IDS. They found GuardDuty to be simple to deploy and required no specialized skills to configure the service to function effectively. Also, with its inherent capability of analyzing DNS requests, VPC flow logs, and CloudTrail events, they concluded that GuardDuty was able to effectively identify threats that other IDS could not natively detect and required extensive manual customization to detect in the test environment. Foregenix recommended that adding a host-based IDS agent on Amazon Elastic Compute Cloud (Amazon EC2) instances would provide an enhanced level of threat defense when coupled with Amazon GuardDuty.
As a PCI Qualified Security Assessor (QSA) company, Foregenix states that they consider GuardDuty as a qualifying network intrusion technique for meeting PCI DSS requirement 11.4. This is important for AWS customers whose applications must maintain PCI DSS compliance. Customers should be aware that individual PCI QSAs might have different interpretations of the requirement, and should discuss this with their assessor before a PCI assessment.
Customer PCI QSAs can also speak with AWS Security Assurance Services, an AWS Professional Services team of PCI QSAs, to obtain more information on how customers can leverage AWS services to help them maintain PCI DSS Compliance. Customers can request Security Assurance Services support through their AWS Account Manager, Solutions Architect, or other AWS support.
We invite you to download the Foregenix Amazon GuardDuty Security Review whitepaper to see the details of the testing and the conclusions provided by Foregenix.
IOPS
Input/output operations per second (IOPS, pronounced eye-ops) is an input/output performance measurement used to characterize computer storage devices like hard disk drives (HDD), solid state drives (SSD), and storage area networks (SAN)
NAS vs SAN
NAS Single point of failure attached on network small medium business part of local area network, subject to bottleneck
SAN mounts like a local drive more available multiple arrays shared in a cluster of servers dedicated network for enterprise level NET AFFECTED BY NETWORK TRAFFIC HIGH SPEED
object storage Vs file system
File storage organizes and represents data as a hierarchy of files in folders; block storage chunks data into arbitrarily organized, evenly sized volumes; and object storage manages data and links it to associated metadata.
OSI MODEL
https://www.cloudflare.com/learning/ddos/glossary/open-systems-interconnection-model-osi/
Protocol Attacks
A protocol attack focuses on damaging connection tables in network areas that deal directly with verifying connections. By sending successively slow pings, deliberately malformed pings, and partial packets, the attacking computer can cause memory buffers in the target to overload and potentially crash the system. A protocol attack can also target firewalls. This is why a firewall alone will not stop denial of service attacks.
RAID level 0 - Striping
In a RAID 0 system data are split up into blocks that get written across all the drives in the array. By using multiple disks (at least 2) at the same time, this offers superior I/O performance.
RAID level 1 -Mirroring
Data are stored twice by writing them to both the data drive (or set of data drives) and a mirror drive (or set of drives). If a drive fails, the controller uses either the data drive or the mirror drive for data recovery and continues operation
RAID level 10 -combining RAID 1 and RAID 0
It is possible to combine the advantages (and disadvantages) of RAID 0 and RAID 1 in one single system. This is a nested or hybrid RAID configuration. It provides security by mirroring all data on secondary drives while using striping across each set of drives to speed up data transfers.
RAID level 5
RAID 5 is the most common secure RAID level. It requires at least 3 drives but can work with up to 16. Data blocks are striped across the drives and on one drive a parity checksum of all the block data is written. The parity data are not written to a fixed drive, they are spread across all drives, as the drawing below shows. Using the parity data, the computer can recalculate the data of one of the other data blocks, should those data no longer be available. That means a RAID 5 array can withstand a single drive failure without losing data or access to data.
RAID level 6 - Striping with double parity
RAID 6 is like RAID 5, but the parity data are written to two drives. That means it requires at least 4 drives and can withstand 2 drives dying simultaneously. The chances that two drives break down at exactly the same moment are of course very small. However, if a drive in a RAID 5 systems dies and is replaced by a new drive, it takes hours or even more than a day to rebuild the swapped drive. If another drive dies during that time, you still lose all of your data. With RAID 6, the RAID array will even survive that second failure.
Symmetric and Asymmetric encryption
Symmetric encryption uses a single key that needs to be shared among the people who need to receive the message while asymmetrical encryption uses a pair of public key and a private key to encrypt and decrypt messages when communicating.
Throughput vs Latency
Latency is the time required to perform some action or to produce some result. Latency is measured in units of time – hours, minutes, seconds, nanoseconds or clock periods.
Throughput is the number of such actions executed or results produced per unit of time. This is measured in units of whatever is being produced (cars, motorcycles, I/O samples, memory words, iterations) per unit of time. The term “memory bandwidth” is sometimes used to specify the throughput of memory systems.
Volumetric Attacks DDOS
The most common DDoS attack overwhelms a machine?s network bandwidth by flooding it with false data requests on every open port the device has available. Because the bot floods ports with data, the machine continually has to deal with checking the malicious data requests and has no room to accept legitimate traffic. UDP floods and ICMP floods comprise the two primary forms of volumetric attacks.
Web Application Firewall Vs Firewall
In a technical sense, the difference between application-level firewalls and network-level firewalls is the layers of security they operate on. While web application firewalls operate on layer 7 (applications), network firewalls operate on layers 3 and 4 (data transfer and network). WAFs are focused on protecting applications, while network firewalls are more concerned with traffic into and out of your broader network
What are DDoS Attacks?
A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.
What is Database Clustering
Database Clustering is the process of combining more than one servers or instances connecting a single database. Sometimes one server may not be adequate to manage the amount of data or the number of requests, that is when a Data Cluster is needed. Database clustering, SQL server clustering, and SQL clustering are closely associated with SQL is the language used to manage the database information.
The main reasons for database clustering are its advantages a server receives; Data redundancy, Load balancing, High availability, and lastly, Monitoring and automation.
What is identity management?
Identity management, also known as identity and access management, is a framework of policies and technologies for ensuring that the proper people in an enterprise have the appropriate access to technology resources
Why hash a file
It simply helps you to verify the integrity of the file that you are downloading. The hashes are calculated using “good data” and it helps you to check for file corruption.
Load balancing
Load balancing is the process of distributing network traffic across multiple servers. This ensures no single server bears too much demand. By spreading the work evenly, load balancing improves application responsiveness. It also increases availability of applications and websites for users.
DNS
Humans access information online through domain names, like nytimes.com or espn.com. Web browsers interact through Internet Protocol (IP) addresses. DNS translates domain names to IP addresses so browsers can load Internet resources.
TCP vs. UDP
TCP is a connection-oriented protocol, whereas UDP is a connectionless protocol.
The speed for TCP is slower while the speed of UDP is faster
TCP uses handshake protocol like SYN, SYN-ACK, ACK while UDP uses no handshake protocols
TCP does error checking and also makes error recovery, on the other hand, UDP performs error checking, but it discards erroneous packets.
TCP has acknowledgment segments, but UDP does not have any acknowledgment segment.
TCP is heavy-weight, and UDP is lightweight.
Unicast vs Multicast
A Unicast transmission/stream sends IP packets to a single recipient on a network. A Multicast transmission sends IP packets to a group of hosts on a network. If the streaming video is to be distributed to a single destination, then you would start a Unicast stream by setting the destination IP address and port on the AVN equal to the destination?s values. If you want to view the stream at multiple concurrent locations, then you would set the AVN?s destination IP address to a valid Multicast IP address (224.0.0.0 ? 239.255.255.255)
When would DNS protocol use TCP vs. UDP transport protocol?
UDP packets are smaller in size. UDP packets can not be greater then 512 bytes. So any application needs data to be transferred greater than 512 bytes require TCP in place. For example, DNS uses both TCP and UDP for valid reasons described below. Note that UDP messages are not larger than 512 Bytes and are truncated when greater than this size. DNS uses TCP for Zone transfer and UDP for name queries either regular (primary) or reverse. UDP can be used to exchange small information whereas TCP must be used to exchange information larger than 512 bytes. If a client doesn’t get response from DNS it must re-transmit the data using TCP after 3-5 seconds of interval.
router vs switch
Just as a switch connects multiple devices to create a network, a router connects multiple switches, and their respective networks, to form an even larger network.
Hypervisor- distinguish multiple VMs running on it and isolate them from the underlying h/w?
A normal system call in a guest is processed by the guest OS without intervention of the hypervisor.
However, when the guest does cause a trap to the hypervisor (not a system call, but some other operation that requires hypervisor service), the hypervisor knows which guest it is because it knows which guest it scheduled on that CPU.
Virtualization
Virtualization is the process of running a virtual instance of a computer system in a layer abstracted from the actual hardware. Most commonly, it refers to running multiple operating systems on a computer system simultaneously. To the applications running on top of the virtualized machine, it can appear as if they are on their own dedicated machine, where the operating system, libraries, and other programs are unique to the guest virtualized system and unconnected to the host operating system which sits below it.
content delivery network
A content delivery network (CDN) refers to a geographically distributed group of servers which work together to provide fast delivery of Internet content.
A CDN allows for the quick transfer of assets needed for loading Internet content including HTML pages, javascript files, stylesheets, images, and videos. The popularity of CDN services continues to grow, and today the majority of web traffic is served through CDNs, including traffic from major sites like Facebook, Netflix, and Amazon.
cluster
A computer cluster is a set of loosely or tightly connected computers that work together so that, in many respects, they can be viewed as a single system.
IPSec VS SSL VPN
One of the major differences between SSL and IPsec is which layer of the OSI model each one belongs to. The OSI model is an abstract representation, broken into “layers,” of the processes that make the Internet work.
The IPsec protocol suite operates at the network layer of the OSI model. It runs directly on top of IP (the Internet Protocol), which is responsible for routing data packets.
Meanwhile, SSL operates at the application layer of the OSI model. It encrypts HTTP traffic instead of directly encrypting IP packets
MPLS
Multiprotocol Label Switching is a routing technique in telecommunications networks that directs data from one node to the next based on short path labels rather than long network addresses, thus avoiding complex lookups in a routing table and speeding traffic flows
How to speed up a high latency link/high speed link?
Use UDP instead of TCP, DIsable encryption
CDN - How does a CDN make web sites faster?
By distributing content closer to website visitors by using a nearby CDN server (among other optimizations), visitors experience faster page loading times. As visitors are more inclined to click away from a slow-loading site, a CDN can reduce bounce rates and increase the amount of time that people spend on the site. In other words, a faster a website means more visitors will stay and stick around longer.
OSI
Layer 7 - Application
To further our bean dip analogy, the Application Layer is the one at the top - it?s what most users see. In the OSI model, this is the layer that is the ?closest to the end user?. Applications that work at Layer 7 are the ones that users interact with directly. A web browser (Google Chrome, Firefox, Safari, etc.) or other app - Skype, Outlook, Office - are examples of Layer 7 applications.
Layer 6 - Presentation
The Presentation Layer represents the area that is independent of data representation at the application layer. In general, it represents the preparation or translation of application format to network format, or from network formatting to application format. In other words, the layer ?presents? data for the application or the network. A good example of this is encryption and decryption of data for secure transmission - this happens at Layer 6.
Layer 5 - Session
When two devices, computers or servers need to ?speak? with one another, a session needs to be created, and this is done at the Session Layer. Functions at this layer involve setup, coordination (how long should a system wait for a response, for example) and termination between the applications at each end of the session.
Layer 4 ? Transport
The Transport Layer deals with the coordination of the data transfer between end systems and hosts. How much data to send, at what rate, where it goes, etc. The best known example of the Transport Layer is the Transmission Control Protocol (TCP), which is built on top of the Internet Protocol (IP), commonly known as TCP/IP. TCP and UDP port numbers work at Layer 4, while IP addresses work at Layer 3, the Network Layer.
Layer 3 - Network
Here at the Network Layer is where you?ll find most of the router functionality that most networking professionals care about and love. In its most basic sense, this layer is responsible for packet forwarding, including routing through different routers. You might know that your Boston computer wants to connect to a server in California, but there are millions of different paths to take. Routers at this layer help do this efficiently.
Layer 2 ? Data Link
The Data Link Layer provides node-to-node data transfer (between two directly connected nodes), and also handles error correction from the physical layer. Two sublayers exist here as well - the Media Access Control (MAC) layer and the Logical Link Control (LLC) layer. In the networking world, most switches operate at Layer 2.
Layer 1 - Physical
At the bottom of our OSI bean dip we have the Physical Layer, which represents the electrical and physical representation of the system. This can include everything from the cable type, radio frequency link (as in an 802.11 wireless systems), as well as the layout of pins, voltages and other physical requirements. When a networking problem occurs, many networking pros go right to the physical layer to check that all of the cables are properly connected and that the power plug hasn?t been pulled from the router, switch or computer, for example.
