Lesson 3.3 given a scenario, implement secure network designs

Question 1

What is an Extranet

Answer 1

A zone created to allow authorized users access to company assets separate from the intranet

Question 2

What is a intranet?

Answer 2

An internal company zone established to allow employees the ability to share content and communicate more effectively

Question 3

What is a Demilitarized Zone (DMZ)

Answer 3

area of a network that is designed specifically for public users to access. The DMZ is a buffer network between the public untrusted Internet and the private trusted LAN

Question 4

What is a VLAN?

Answer 4

a logical group of network devices on the same LAN, despite their geographical distribution. It can divide the devices logically on the data link layer, and group users according to departments.

Question 5

What is Data Loss Prevention (DLP)

Answer 5

prevent the removing or sending of protected information, but it cannot scan for malware

Question 6

What is Unified Threat Management (UTM)

Answer 6

an all-in-one security appliance that combines the functions of a firewall, malware scanner, intrusion detection, vulnerability scanner, Data Loss Prevention, content filtering, and many more.

Question 7

What is firewall?

Answer 7

a software or hardware device that protects a system or network by blocking unwanted network traffic. It is not designed to scan for malware.

Question 8

what does a virtual ip address do

Answer 8

ensures a smooth transition over to the secondary load balancer if the primary fails. Users or other services will only need to know one destination IP address to reach the web server farm

Question 9

Describe an active/passive technology

Answer 9

ensure a proper failure capability. Requests will continually flow through one load balancer and through the secondary if the primary fails.

Question 10

What is a Bridged Protocol Data Unit (BPDU) guard

Answer 10

guard setting is applied to switches. This causes a portfast-configured port that receives a BPDU to become disabled.

Question 11

Describe east-west traffic

Answer 11

describes the network and platform configurations that support cloud and other Internet services where most traffic is actually between servers within the data center.

Question 12

Describe zero trust

Answer 12

uses systems such as continuous authentication and conditional access to mitigate privilege escalation and account compromise. It can use micro-segmentation to apply security policies to single node like it was in its own zone

Question 13

What is something you can do to improve video quality and overall use of the network bandwidth

Answer 13

Switches that support quality of service use the 802.1p header to prioritize frames. This will improve video conferences and make efficient use of the overall network bandwidth.

Question 14

What is Out of Band management

Answer 14

a means of remote management of a system; a term commonly used when managing network devices

Question 15

Always on VPN

Answer 15

allow for a continued connection between the geographically separated servers and the employee.

Question 16

Remote Access VPN

Answer 16

allow an authorized user to connect to an internal network from a remote location. Tunneling protocols encapsulate and encrypt traffic for data protection and integrity

Question 17

VPN concentrator

Answer 17

incorporates the most advanced encryption and authentication techniques and includes all of the items necessary to create a VPN.

Question 18

Site-to-site VPN

Answer 18

connects multiple networks versus one. Remote users can access both locations as if they were onsite without noticing the location separation

Question 19

What is a jump server

Answer 19

runs only necessary administrative applications to securely access a web server, for example, in the DMZ. This minimizes any inherit risks when connecting to the DMZ from a secure zone

Question 20

Gateway Load Balancing Protocol (GLBP)

Answer 20

runs only necessary administrative applications to securely access a web server, for example, in the DMZ. This minimizes any inherit risks when connecting to the DMZ from a secure zone

Question 21

Common Address Redundancy (CARP)

Answer 21

another commonly used network protocol that works in the same way as GLBP.

Question 22

What is an agentless health or posture

Answer 22

supports a wide range of devices, such as smartphones and tablets, but less detailed information about the client is available.

Question 23

What is a non-persistent or dissolvable agent

Answer 23

loaded into memory and never installed on the system. This option still requires an agent that may not be compatible with mobile devices.

Question 24

What is a quarantine network

Answer 24

a restricted network that uncompliant devices are redirected to, only after it has been assessed. A policy for mobile devices must be in place for proper remediation to take place

Question 25

Layer does a network-based firewall analyze packets at

Answer 25

Layer 2

Question 26

What is another name for application firewall

Answer 26

stateful multilayer inspection firewall

Question 27

What is a scheduling algorithm

Answer 27

the code and metrics that determine which node is selected for processing each incoming request. The simplest scheduling is round robin; this just means picking the next node.

Question 28

active/ passive configuration

Answer 28

sends all requests to one node while the other node is on standby. The secondary node takes over services when the primary node loses connectivity or goes offline

Question 29

persistence settings

Answer 29

allow an application-layer load balancer to keep clients connected to a session. This is achieved with a cookie at the client.

Question 30

Lightweight Directory Access Protocol Secure (LDAPS)

Answer 30

Uses port 636 to setup a secure channel to a directory service using a digital certificate

Question 31

Hypertext Transfer Protocol Secure (HTTPS)

Answer 31

uses port 443 to connect clients to a web server or service using digital certificates. HTTPS is commonly secured using the transport layer security (TLS)

Question 32

Secure Multipart Internet Message Extensions (S/MIME)

Answer 32

is used to sign and encrypt mail messages using an email certificate.

Question 33

Encapsulation Security Payload (ESP)

Answer 33

provides confidentiality and/or authentication and integrity. ESP is used with Internet Protocol Security (IPSec) over layer 3 of the Open Systems Interconnection (OSI) model

Question 34

Secure Post Office Protocol v3 (POP3)

Answer 34

is a mailbox protocol designed to allow mail to be stored on a server and downloaded to the recipient’s email client at their convenience.

Question 35

Secure Internet Message Access Protocol v4 (IMAP4)

Answer 35

is designed for dial-up access. The client contacts the server to download its messages, then disconnects. IMAP supports permanent connections to a server and connecting multiple clients to the same mailbox simultaneously. Messages are stored and organized on the server.

Question 36

Simple Mail Transfer Protocol (SMTP)

Answer 36

specifies how mail is delivered from one system to another.

Question 37

Secure Multipurpose Internet Mail Extensions (S/MIME)

Answer 37

the user is issued a digital certificate containing a public key that is signed by a Certificate Authority to establish validity.

Question 38

Transport Layer Security (TLS) 1.2

Answer 38

added support for the strong Secure Hash Algorithm (SHA)-256 cipher. That is the primary difference between TLS 1.1 and TLS 1.2.

Question 39

Secure Sockets Layer (SSL) 3.0

Answer 39

is less secure than any of the TLS versions and does not support SHA-256 cipher

Question 40

TLS 1.1

Answer 40

added the improvement to the cipher suite negotiation process and protection against known attacks but does not support the SHA-256 cipher.

Question 41

SSL 2.0

Answer 41

is deprecated and should only be deployed when subject to risk assessments. This version does not support the SHA-256 cipher

Question 42

Simple Network Management Protocol (SNMP) v3

Answer 42

supports encryption and strong user-based authentication. Instead of community names, the agent is configured with a list of usernames and access permissions

Question 43

SNMPv1

Answer 43

uses community names that are sent in plaintext and should not be transmitted over the network if there is any risk they could be intercepted.

Question 44

SNMPv2c

Answer 44

also uses community names that are sent in plaintext and should not be transmitted over the network, if there is any risk they could be intercepted. Like SNMPv1, this protocol does not support strong user-based authentication

Question 45

Management Information Base (MIB)

Answer 45

is the database that the SNMP agent uses. The agent is a process that runs on a switch, router, server, or SNMP compatible network device.