Lesson 9 - Implement Secure Network Designs

Question 1

Typical weaknesses in secure network design include:

Answer 1

Single points of failure
Complex dependencies
Availability over confidentiality and integrity
Lack of documentation and change control
Overdependence on perimeter security

Question 2

In Ethernet, a networking device that receives incoming data, reviews the destination MAC address against an internal address table, and sends the data out through the port that contains the destination MAC address.

Answer 2

Switches
Switches work at layer 2 of the OSI model and make forwarding decisions based on the hardware or Media Access Control (MAC) address of attached nodes.

Question 3

provide a bridge between a cabled network and wireless clients, or stations.

Answer 3

Wireless access points
Access points work at layer 2 of the OSI model.

Question 4

A network device that links dissimilar networks and can support multiple alternate paths between location-based parameters such as speed, traffic loads, and price.

Answer 4

Routers
forward packets around an internetwork, making forwarding decisions based on IP addresses.
Routers work at layer 3 of the OSI model.
Routers can apply logical IP subnet addresses to segments within a network.

Question 5

Apply an access control list (ACL) to filter traffic passing in or out of a network segment.

Answer 5

Firewalls
Firewalls can work at layer 3 of the OSI model or higher.

Question 6

Distribute traffic between network segments or servers to optimize performance.

Answer 6

Load balancers
Load balancers can work at layer 4 of the OSI model or higher.

Question 7

Host name records and perform name resolution to allow applications and users to address hosts and services using fully qualified domain names (FQDNs) rather than IP addresses.

Answer 7

Domain Name System (DNS) servers
DNS works at layer 7 of the OSI model. Name resolution is a critical service in network design.
Abuse of name resolution is a common attack vector.

Question 8

Occurs between nodes on the same local network segment that are all in the same broadcast domain. A broadcast domain is either all the nodes connected to the same physical unmanaged switch, or all the nodes within a virtual LAN (VLAN) configured on one or more managed switches.

Answer 8

Layer 2 forwarding
At layer 2, each node is identified by the network interface’s hardware or Media Access Control (MAC) address. A MAC address is a 48-bit value written in hexadecimal notation, such as 00-15-5D-F4-83-48.

Question 9

Occurs between both logically and physically defined networks. A single network divided into multiple logical broadcast domains is said to be subnetted.

Answer 9

Layer 3 forwarding, or routing
Multiple networks joined by routers form an internetwork. At layer 3, nodes are identified by an Internet Protocol (IP) address.

Question 10

Maps a network interface’s hardware (MAC) address to an IP address.

Answer 10

Address Resolution Protocol (ARP)
Normally a device that needs to send a packet to an IP address but does not know the receiving device’s MAC address broadcasts an ARP Request packet, and the device with the matching IP responds with an ARP Reply.

Question 11

IP provides the addressing mechanism for logical networks and subnets.

Answer 11

Internet Protocol (IP)
A 32-bit IPv4 address is written in dotted decimal notation, with either a network prefix or subnet mask to divide the address into network ID and host ID portions. For example, in the IP address 172.16.1.101/16, the /16 prefix indicates that the first half of the address (172.16.0.0) is the network ID, while the remainder uniquely identifies a host on that network. This /16 prefix can also be written as a subnet mask in the form 255.255.0.0.

Question 12

Logically separate network, created by using switching technology. Even though hosts on two VLANs may be physically connected to the same cabling, local traffic is isolated to each VLAN so they must use a router to communicate.

Answer 12

virtual LANs (VLANs).

Question 13

Allows a router to perform dynamic updates to its routing table based on route data exchanged with other routers.

Answer 13

routing protocols

Question 14

A path vector routing protocol used by ISPs to establish routing between one another.

Answer 14

Border Gateway Protocol (BGP)

Question 15

A link-state routing protocol used on IP networks

Answer 15

Open Shortest Path First (OSPF)

Question 16

IGRP is a distance vector-based routing protocol using a metric composed of several administrator weighted elements including reliability, bandwidth, delay, and load. E(nhanced)IGRP, the version now in use, supports classless addressing and more efficient route selection.

Answer 16

Enhanced Interior Gateway Routing Protocol (EIGRP)

Question 17

A distance vector-based routing protocol that uses a hop count to determine the distance to the destination network.

Answer 17

Routing Information Protocol (RIP)

Question 18

A portion of a network where all attached hosts can communicate freely with one another.

Answer 18

segment
Assuming an Ethernet network, network segments can be established physically by connecting all the hosts in one segment to one switch and all the hosts in another segment to another switch. The two switches can be connected by a router and the router can enforce network policies or access control lists (ACL) to restrict communications between the two segments.

Question 19

A situation where hosts on one network segment are prevented from or restricted in communicating with hosts on other segments.

Answer 19

Segregation
Assuming an Ethernet network, network segments can be established physically by connecting all the hosts in one segment to one switch and all the hosts in another segment to another switch. The two switches can be connected by a router and the router can enforce network policies or access control lists (ACL) to restrict communications between the two segments.

Because enterprise networks typically feature hundreds of switching appliances and network ports (not to mention wireless access and remote access), segmentation is more likely to be enforced using virtual LANs (VLANs). Any given switch port can be assigned to any VLAN in the same topology, regardless of the physical location of the switch. The segmentation enforced by VLANs at layer 2 can be mapped to logical divisions enforced by IP subnets at layer 3.

Question 20

In networking infrastructure, an area of a network where the security configuration is the same for all hosts within it. In physical security, an area separated by barriers that control entry and exit points.

Answer 20

Zone

Question 21

A private network that is only accessible by the organization’s own personnel.

Answer 21

Intranet (private network)

Question 22

A segment isolated from the rest of a private network by one or more firewalls that accepts connections from the Internet over designated ports.

Answer 22

demilitarized zones (DMZs)

Question 23

This is a zone permitting anonymous access (or perhaps a mix of anonymous and authenticated access) by untrusted hosts over the Internet.

Answer 23

Internet/guest

Question 24

A private network that provides some access to outside parties, particularly vendors, partners, and select customers.

Answer 24

extranet

Question 25

A server typically found in a DMZ that is configured to provide a single service to reduce the possibility of compromise.

Answer 25

bastion hosts
Run minimal services to reduce the attack surface as much as possible.
A bastion host would not be configured with any data that could be a security risk to the internal network, such as user account credentials.

Question 26

Uses two firewalls placed on either side of the DMZ. The edge firewall restricts traffic on the external/public interface and allows permitted traffic to the hosts in the DMZ. The edge firewall can be referred to as the screening firewall or router. The internal firewall filters communications between hosts in the DMZ and hosts on the LAN. This firewall is often described as the choke firewall. A choke point is a purposefully narrow gateway that facilitates better access control and easier monitoring.

Answer 26

Screened Subnet

Question 27

A DMZ can also be established using one router/firewall appliance with three network interfaces, referred to as triple-homed. One interface is the public one, another is the DMZ, and the third connects to the LAN. Routing and filtering rules determine what forwarding is allowed between these interfaces. This can achieve the same sort of configuration as a screened subnet.

Answer 27

Triple-Homed Firewall

Question 28

A dual-homed proxy/gateway server used to provide Internet access to other network nodes, while protecting them from external attack.

Answer 28

screened host
The edge firewall can be referred to as the screening firewall or router.
The internal firewall filters communications between hosts in the DMZ and hosts on the LAN.
This firewall is often described as the choke firewall.
A choke point is a purposefully narrow gateway that facilitates better access control and easier monitoring.

Question 29

Traffic that goes to and from a data center.

Answer 29

North-South Traffic

Question 30

Design paradigm accounting for the fact that data center traffic between servers is greater than that passing in and out (north-south).

Answer 30

East-West Traffic
Traffic within data center

Question 31

Security design paradigm where any request (host-to-host or container-to-container) must be authenticated before being allowed.

Answer 31

Zero Trust
Zero trust uses systems such as continuous authentication and conditional access to mitigate privilege escalation and account compromise by threat actors.

Question 32

Software that can scan a network and identify hosts, addresses, protocols, network interconnections, and so on.

Answer 32

network mapping

Question 33

Some transmission media are susceptible to eavesdropping (listening in to communications sent over the media). To secure transmissions, they must be encrypted.

Answer 33

eavesdropping

Question 34

A form of eavesdropping where the attacker makes an independent connection between two victims and steals information to use fraudulently. Also referred to as an on-path attack.

Answer 34

Man-in-the-Middle (MitM) Attacks
On-Path Attach

Question 35

An attack in which an attacker falsifies the factory-assigned MAC address of a device’s network interface.

Answer 35

MAC Cloning
MAC Address Spoofing

Question 36

A method of manually generating packets (instead of modifying existing network traffic) to test the behavior of network devices, enabling a hacker to enumerate firewall or intrusion detection rules that are in place.

Answer 36

Packet Crafting

Question 37

The broadcast mechanism by which individual hardware MAC addresses are matched to an IP address on a local network segment.

Answer 37

Address Resolution Protocol (ARP)
A host uses the Address Resolution Protocol (ARP) to discover the host on the local segment that owns an IP address.

Question 38

A network-based attack where an attacker with access to the target local network segment redirects an IP address to the MAC address of a computer that is not the intended recipient. This can be used to perform a variety of attacks, including DoS, spoofing, and Man-in-the-Middle.

Answer 38

ARP Poisoning
It is directed at host.

Question 39

A variation of an ARP poisoning attack where a switch’s cache table is inundated with frames from random source MAC addresses.

Answer 39

MAC Flooding
MAC Flooding is used to attack a switch.
The intention of the attacker is to exhaust the memory used to store the switch’s MAC address table. The switch uses the MAC address table to determine which port to use to forward unicast traffic to its correct destination. Overwhelming the table can cause the switch to stop trying to apply MAC-based forwarding and flood unicast traffic out of all ports, working as a hub. This makes sniffing network traffic easier for the threat actor.

Question 40

The table on a switch keeping track of MAC addresses associated with each port. As the switch uses a type of memory called Content Addressable Memory (CAM), this is sometimes called the CAM table.

Answer 40

MAC Address Table

Question 41

A switching protocol that prevents network loops by dynamically disabling links as needed.

Answer 41

Spanning Tree Protocol (STP)
Layer 2 loops are prevented by the Spanning Tree Protocol (STP).
Spanning tree is a means for the bridges to organize themselves into a hierarchy and prevent loops from forming.

Question 42

Traffic that is recirculated and amplified by loops in a switching topology, causing network slowdowns and crashing switches.

Answer 42

Broadcast Storms
STP is principally designed to prevent broadcast storms. Switches forward broadcast, multicast, and unknown unicast traffic out of all ports. If a bridged network contains a loop, broadcast traffic will travel through the network, get amplified by the other switches, and arrive back at the original switch, which will re-broadcast each incoming broadcast frame, causing an exponential increase (the storm), which will rapidly overwhelm the switches and crash the network.

Question 43

Switch port security feature that disables the port if it receives BPDU notifications related to spanning tree. This is configured on access ports where there any BPDU frames are likely to be malicious.

Answer 43

BPDU Guard
Bridge Protocol Data Units (BPDUs) are used to communicate information about the topology and are not expected on access ports, so BPDU Guard protects against misconfiguration or a possible malicious attack.

Question 44

Preventing a device attached to a switch port from communicating on the network unless it matches a given MAC address or other protection profile.

Answer 44

Port Security

Question 45

Applying an access control list to a switch or access point so that only clients with approved MAC addresses can connect to it.

Answer 45

MAC Filtering
Configuring MAC filtering on a switch means defining which MAC addresses are allowed to connect to a particular port.
For example, if port security is enabled with a maximum of two MAC addresses, the switch will record the first two MACs to connect to that port, but then drop any traffic from machines with different MAC addresses that try to connect.
This provides a guard against MAC flooding attacks.

Question 46

The protocol that allows a server to assign IP address information to a client when it connects to the network.

Answer 46

DHCP
DHCP is the protocol that allows a server to assign IP address information to a client when it connects to the network.

Question 47

A configuration option that enables a switch to inspect DHCP traffic to prevent MAC spoofing.

Answer 47

Dynamic Host Configuration Protocol (DHCP) snooping
Port 67 and 68.
Dynamic ARP inspection (DAI), which can be configured alongside DHCP snooping, prevents a host attached to an untrusted port from flooding the segment with gratuitous ARP replies.
DAI maintains a trusted database of IP:ARP mappings and ensures that ARP packets are validly constructed and use valid IP addresses.

Question 48

Maintains a trusted database of IP:ARP mappings and ensures that ARP packets are validly constructed and use valid IP addresses

Answer 48

Dynamic ARP Inspection (DAI)

Question 49

A switch (or router) that performs some sort of authentication of the attached device before activating the port.

Answer 49

port-based network access control (PNAC)
The IEEE 802.1X standard defines a port-based network access control (PNAC) mechanism.
PNAC means that the switch uses an AAA server to authenticate the attached device before activating the port.

Question 50

A general term for the collected protocols, policies, and hardware that authenticate and authorize access to a network at the device level.

Answer 50

Network Access Control (NAC)

Question 51

The process for verifying compliance with a health policy by using host health checks.

Answer 51

Posture Assessment

Question 52

A device that provides a connection between wireless devices and can connect to wired networks.

Answer 52

Access Points
The access points forward traffic to and from the wired switched network. Each WAP is identified by its MAC address, also referred to as its basic service set identifier (BSSID). Each wireless network is identified by its name, or service set identifier (SSID).

Question 53

A character string that identifies a particular wireless LAN (WLAN).

Answer 53

Service Set Identifier (SSID)

Question 54

Wireless Access Point (WAP) - different types of interference

Answer 54

Co-channel interference (CCI)—when two WAPs in close proximity use the same channel, they compete for bandwidth within that channel, as signals collide and have to be re-transmitted.
Adjacent channel interference (ACI)—channels have only ~5 MHz spacing, but Wi-Fi requires 20 MHz of channel space. When the channels selected for WAPs are not cleanly spaced, the interference pattern creates significant numbers of errors and loss of bandwidth. For example, if two access points within range of one another are configured in the 2.4 GHz band with channels 1 and 6, they will not overlap. If a third access point is added using channel 3, it will use part of the spectrum used by both the other WAPs, and all three networks will suffer from interference.

Question 55

A collection of information about a location for the purposes of building an ideal infrastructure; it often contains optimum locations for wireless antenna and access point placement to provide the required coverage for clients and identifying sources of interference.

Answer 55

Site Survey

Question 56

In a Wi-Fi site survey, a diagram showing signal strength at different locations.

Answer 56

Heat Map

Question 57

A device that provides centralized management and monitoring of wireless LAN management for multiple APs.

Answer 57

Wireless Controllers

Question 58

An access point whose firmware contains enough processing logic to be able to function autonomously and handle clients without the use of a wireless controller

Answer 58

Fat WAP

Question 59

A wireless controller that requires a wireless controller in order to function.

Answer 59

Thin WAP

Question 60

Standards for authenticating and encrypting access to Wi-Fi networks.

Answer 60

Wi-Fi Protected Access (WPA)
The first version of Wi-Fi Protected Access (WPA) was designed to fix critical vulnerabilities in the earlier wired equivalent privacy (WEP) standard. Like WEP, version 1 of WPA uses the RC4 stream cipher but adds a mechanism called the Temporal Key Integrity Protocol (TKIP) to make it stronger.

Question 61

A legacy mechanism for encrypting data sent over a wireless connection.

Answer 61

wired equivalent privacy (WEP)

Question 62

A mechanism used in the first version of WPA to improve the security of wireless encryption mechanisms, compared to the flawed WEP standard.

Answer 62

Temporal Key Integrity Protocol (TKIP)

Question 63

uses the Advanced Encryption Standard (AES) cipher with 128-bit keys, deployed within the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). AES replaces RC4 and CCMP replaces TKIP. CCMP provides authenticated encryption, which is designed to make replay attacks harder.

Answer 63

WPA2

Question 64

Personal authentication mechanism for Wi-Fi networks introduced with WPA3 to address vulnerabilities in the WPA-PSK method.

Answer 64

Simultaneous Authentication of Equals (SAE)

Question 65

Mode of operation for AES that ensures authenticated encryption.

Answer 65

AES Galois Counter Mode Protocol (GCMP)

Question 66

Wi-Fi Authentication types:

Answer 66

Personal, Open, and Enterprise
Within the personal category, there are two methods: pre-shared key authentication (PSK) and simultaneous authentication of equals (SAE).

Question 67

Passphrase-based mechanism to allow group authentication to a wireless network. The passphrase is used to derive an encryption key.

Answer 67

pre-shared key (PSK)

Question 68

In WPA2, pre-shared key (PSK) authentication uses a passphrase to generate the key that is used to encrypt communications. It is also referred to as group authentication because a group of users share the same secret. When the access point is set to WPA2-PSK mode, the administrator configures a passphrase of between 8 and 63 ASCII characters. This is converted to a 256-bit HMAC (expressed as a 64-character hex value) using the PBKDF2 key stretching algorithm. This HMAC is referred to as the pairwise master key (PMK). The same secret must be configured on the access point and on each node that joins the network. The PMK is used as part of WPA2’s 4-way handshake to derive various session keys.

Answer 68

WPA2 Pre-Shared Key Authentication

Question 69

While WPA3 still uses a passphrase to authenticate stations in personal mode, it changes the method by which this secret is used to agree session keys. The scheme used is also referred to as Password Authenticated Key Exchange (PAKE). In WPA3, the Simultaneous Authentication of Equals (SAE) protocol replaces the 4-way handshake, which has been found to be vulnerable to various attacks. SAE uses the Dragonfly handshake, which is basically Diffie-Helllman over elliptic curves key agreement, combined with a hash value derived from the password and device MAC address to authenticate the nodes. With SAE, there should be no way for an attacker to sniff the handshake to obtain the hash value and try to use an offline brute-force or dictionary attack to recover the password. Dragonfly also implements ephemeral session keys, providing forward secrecy.

Answer 69

WPA3 Personal Authentication

Question 70

A feature of WPA and WPA2 that allows enrollment in a wireless network based on an 8-digit PIN.

Answer 70

Wi-Fi Protected Setup (WPS)

Question 71

A web page or website to which a client is redirected before being granted full network access.

Answer 71

captive portal

Question 72

An EAP method that requires server-side and client-side certificates for authentication using SSL/ TLS.

Answer 72

EAP-TLS
Extensible Authentication Protocol
EAP-TLS is one of the strongest types of authentication and is very widely supported. An encrypted Transport Layer Security (TLS) tunnel is established between the supplicant and authentication server using public key certificates on the authentication server and supplicant. As both supplicant and server are configured with certificates, this provides mutual authentication. The supplicant will typically provide a certificate using a smart card or a certificate could be installed on the client device, possibly in a Trusted Platform Module (TPM).

Question 73

EAP implementation that uses a server-side certificate to create a secure tunnel for user authentication, referred to as the inner method.

Answer 73

Protected Extensible Authentication Protocol (PEAP)
as with EAP-TLS, an encrypted tunnel is established between the supplicant and authentication server, but PEAP only requires a server-side public key certificate. The supplicant does not require a certificate.

Question 74

An EAP method that enables a client and server to establish a secure connection without mandating a client-side certificate.

Answer 74

EAP-Tunneled TLS (EAP-TTLS)
EAP-Tunneled TLS (EAP-TTLS) is similar to PEAP. It uses a server-side certificate to establish a protected tunnel through which the user’s authentication credentials can be transmitted to the authentication server. The main distinction from PEAP is that EAP-TTLS can use any inner authentication protocol (PAP or CHAP, for instance), while PEAP must use EAP-MS-CHAPv2 or EAP-GTC.

Question 75

An EAP method that is expected to address the shortcomings of LEAP.

Answer 75

EAP with Flexible Authentication via Secure Tunneling (EAP-FAST)
EAP with Flexible Authentication via Secure Tunneling (EAP-FAST) is similar to PEAP, but instead of using a certificate to set up the tunnel, it uses a Protected Access Credential (PAC), which is generated for each user from the authentication server’s master key. The problem with EAP-FAST is in distributing (provisioning) the PAC securely to each user requiring access. The PAC can either be distributed via an out-of-band method or via a server with a digital certificate (but in the latter case, EAP-FAST does not offer much advantage over using PEAP). Alternatively, the PAC can be delivered via anonymous Diffie-Hellman key exchange. The problem here is that there is nothing to authenticate the access point to the user. A rogue access point could obtain enough of the user credential to perform an ASLEAP password cracking attack

Question 76

An access point that has been installed on the network without authorization, whether with malicious intent or not.

Answer 76

Rogue Access Point

Question 77

A wireless access point that deceives users into believing that it is a legitimate network access point.

Answer 77

Evil Twin
A rogue WAP masquerading as a legitimate one

Question 78

Spoofing frames to disconnect a wireless station to try to obtain authentication data to crack.

Answer 78

Disassociation Attack / Deauthentication Attack
Exploits the lack of encryption in management frame traffic to send spoofed frames.

Question 79

A wireless attack where the attacker is able to predict or control the IV of an encryption process, thus giving the attacker access to view the encrypted data that is supposed to be hidden from everyone else except the user or network.

Answer 79

IV attacks
exploits the lack of encryption in management frame traffic to send spoofed frames.

Question 80

An attack in which radio waves disrupt 802.11 wireless signals.

Answer 80

Jamming Attack
Exploits the lack of encryption in management frame traffic to send spoofed frames.

Question 81

A device that can detect the source of interference on a wireless network.

Answer 81

Spectrum Analyzer

Question 82

Any type of physical, application, or network attack that affects the availability of a managed resource.

Answer 82

Denial of Service (DoS)

Question 83

An attack that uses multiple compromised hosts (a botnet) to overwhelm a service with request or response traffic.

Answer 83

Distributed DoS (DDoS)

Question 84

A DoS attack where the attacker sends numerous SYN requests to a target server, hoping to consume enough resources to prevent the transfer of legitimate traffic.

Answer 84

SYN flood attack

Question 85

A network-based attack where the attacker dramatically increases the bandwidth sent to a victim during a DDoS attack by implementing an amplification factor.

Answer 85

Amplification Attack

Question 86

This allows a short request to direct a long response at the victim network.

Answer 86

DNS amplification attack

Question 87

TCP/IP application protocol allowing machines to synchronize to the same time clock that runs over UDP port 123.

Answer 87

Network Time Protocol (NTP)

Question 88

A communications network designed to implement an industrial control system rather than data networking.

Answer 88

Operational Technology (OT)

Question 89

DDoS attacks can be diagnosed by traffic spikes that have no legitimate explanation, but can usually only be counteracted by providing high availability services, such as load balancing and cluster services.

Answer 89

Blackhole
A blackhole is an area of the network that cannot reach any other part of the network.
Sinkhole
Sinkhole routing so that the traffic flooding a particular IP address is routed to a different network where it can be analyzed.

Question 90

Using a trigger device to send a BGP route update that instructs routers to drop traffic that is suspected of attempting DDoS.

Answer 90

remotely triggered blackhole (RTBH)

Question 91

A DoS attack mitigation strategy that directs the traffic that is flooding a target IP address to a different network for analysis.

Answer 91

Sinkhole

Question 92

A type of switch or router that distributes client requests between different resources, such as communications links or similarly-configured servers. This provides fault tolerance and improves throughput.

Answer 92

Load Balancer
distributes client requests across available server nodes in a farm or pool.
This is used to provision services that can scale from light to heavy loads, and to provide mitigation against DDoS attacks.

Question 93

2 Type of Load Balancer.

Answer 93

Layer 4 load balancer—basic load balancers make forwarding decisions on IP address and TCP/UDP port values, working at the transport layer of the OSI model.
Layer 7 load balancer (content switch)—as web applications have become more complex, modern load balancers need to be able to make forwarding decisions based on application-level data, such as a request for a particular URL or data types like video or audio streaming. This requires more complex logic, but the processing power of modern appliances is sufficient to deal with this.

Question 94

The algorithm is the code and metrics that determine which node is selected for processing each incoming request. The simplest type of scheduling is called round robin; this just means picking the next node.

Answer 94

scheduling algorithm
Round Robin

Question 95

A scheduling approach used by load balancers to route traffic to devices that have already established connections with the client in question.

Answer 95

Session Affinity
A layer 4 approach to handling user sessions. It means that when a client establishes a session, it becomes stuck to the node that first accepted the request.

Question 96

In load balancing, the configuration option that enables a client to maintain a connection with a load-balanced server over the duration of the session. Also referred to as sticky sessions.

Answer 96

Persistence

Question 97

A load balancing technique where a group of servers are configured as a unit and work together to provide network services.

Answer 97

Clustering
Clustering allows multiple redundant processing nodes that share data with one another to accept connections.

Question 98

A technique that ensures a redundant component, device, or application can quickly and efficiently take over the functionality of an asset that has failed.

Answer 98

failover

Question 99

Systems that differentiate data passing over the network that can reserve bandwidth for particular applications. A system that cannot guarantee a level of available bandwidth is often described as Class of Service (CoS).

Answer 99

Quality of Service (QoS)

Question 100

The time it takes for a signal to reach the recipient. A video application can support a latency of about 80 ms, while typical latency on the Internet can reach 1000 ms at peak times. Latency is a particular problem for 2-way applications, such as VoIP (telephone) and online conferencing.

Answer 100

Latency

Question 101

A variation in the time it takes for a signal to reach the recipient.

Answer 101

Jitter
Jitter manifests itself as an inconsistent rate of packet delivery. If packet loss or delay is excessive, then noticeable audio or video problems (artifacts) are experienced by users.

Question 102

The protocol that allows a server to assign IP address information to a client when it connects to the network.

Answer 102

DHCP

Question 103

A DMZ can also be established using one router/firewall appliance with three network interfaces, referred to as triple-homed. One interface is the public one, another is the DMZ, and the third connects to the LAN. Routing and filtering rules determine what forwarding is allowed between these interfaces. This can achieve the same sort of configuration as a screened subnet.