Lesson 9 - Implement Secure Network Designs Flashcards

1
Q

Typical weaknesses in secure network design include:

A

Single points of failure
Complex dependencies
Availability over confidentiality and integrity
Lack of documentation and change control
Overdependence on perimeter security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

In Ethernet, a networking device that receives incoming data, reviews the destination MAC address against an internal address table, and sends the data out through the port that contains the destination MAC address.

A

Switches
Switches work at layer 2 of the OSI model and make forwarding decisions based on the hardware or Media Access Control (MAC) address of attached nodes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

provide a bridge between a cabled network and wireless clients, or stations.

A

Wireless access points
Access points work at layer 2 of the OSI model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A network device that links dissimilar networks and can support multiple alternate paths between location-based parameters such as speed, traffic loads, and price.

A

Routers
forward packets around an internetwork, making forwarding decisions based on IP addresses.
Routers work at layer 3 of the OSI model.
Routers can apply logical IP subnet addresses to segments within a network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Apply an access control list (ACL) to filter traffic passing in or out of a network segment.

A

Firewalls
Firewalls can work at layer 3 of the OSI model or higher.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Distribute traffic between network segments or servers to optimize performance.

A

Load balancers
Load balancers can work at layer 4 of the OSI model or higher.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Host name records and perform name resolution to allow applications and users to address hosts and services using fully qualified domain names (FQDNs) rather than IP addresses.

A

Domain Name System (DNS) servers
DNS works at layer 7 of the OSI model. Name resolution is a critical service in network design.
Abuse of name resolution is a common attack vector.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Occurs between nodes on the same local network segment that are all in the same broadcast domain. A broadcast domain is either all the nodes connected to the same physical unmanaged switch, or all the nodes within a virtual LAN (VLAN) configured on one or more managed switches.

A

Layer 2 forwarding
At layer 2, each node is identified by the network interface’s hardware or Media Access Control (MAC) address. A MAC address is a 48-bit value written in hexadecimal notation, such as 00-15-5D-F4-83-48.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Occurs between both logically and physically defined networks. A single network divided into multiple logical broadcast domains is said to be subnetted.

A

Layer 3 forwarding, or routing
Multiple networks joined by routers form an internetwork. At layer 3, nodes are identified by an Internet Protocol (IP) address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Maps a network interface’s hardware (MAC) address to an IP address.

A

Address Resolution Protocol (ARP)
Normally a device that needs to send a packet to an IP address but does not know the receiving device’s MAC address broadcasts an ARP Request packet, and the device with the matching IP responds with an ARP Reply.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

IP provides the addressing mechanism for logical networks and subnets.

A

Internet Protocol (IP)
A 32-bit IPv4 address is written in dotted decimal notation, with either a network prefix or subnet mask to divide the address into network ID and host ID portions. For example, in the IP address 172.16.1.101/16, the /16 prefix indicates that the first half of the address (172.16.0.0) is the network ID, while the remainder uniquely identifies a host on that network. This /16 prefix can also be written as a subnet mask in the form 255.255.0.0.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Logically separate network, created by using switching technology. Even though hosts on two VLANs may be physically connected to the same cabling, local traffic is isolated to each VLAN so they must use a router to communicate.

A

virtual LANs (VLANs).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Allows a router to perform dynamic updates to its routing table based on route data exchanged with other routers.

A

routing protocols

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A path vector routing protocol used by ISPs to establish routing between one another.

A

Border Gateway Protocol (BGP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A link-state routing protocol used on IP networks

A

Open Shortest Path First (OSPF)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

IGRP is a distance vector-based routing protocol using a metric composed of several administrator weighted elements including reliability, bandwidth, delay, and load. E(nhanced)IGRP, the version now in use, supports classless addressing and more efficient route selection.

A

Enhanced Interior Gateway Routing Protocol (EIGRP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

A distance vector-based routing protocol that uses a hop count to determine the distance to the destination network.

A

Routing Information Protocol (RIP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

A portion of a network where all attached hosts can communicate freely with one another.

A

segment
Assuming an Ethernet network, network segments can be established physically by connecting all the hosts in one segment to one switch and all the hosts in another segment to another switch. The two switches can be connected by a router and the router can enforce network policies or access control lists (ACL) to restrict communications between the two segments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

A situation where hosts on one network segment are prevented from or restricted in communicating with hosts on other segments.

A

Segregation
Assuming an Ethernet network, network segments can be established physically by connecting all the hosts in one segment to one switch and all the hosts in another segment to another switch. The two switches can be connected by a router and the router can enforce network policies or access control lists (ACL) to restrict communications between the two segments.

Because enterprise networks typically feature hundreds of switching appliances and network ports (not to mention wireless access and remote access), segmentation is more likely to be enforced using virtual LANs (VLANs). Any given switch port can be assigned to any VLAN in the same topology, regardless of the physical location of the switch. The segmentation enforced by VLANs at layer 2 can be mapped to logical divisions enforced by IP subnets at layer 3.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

In networking infrastructure, an area of a network where the security configuration is the same for all hosts within it. In physical security, an area separated by barriers that control entry and exit points.

A

Zone

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

A private network that is only accessible by the organization’s own personnel.

A

Intranet (private network)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

A segment isolated from the rest of a private network by one or more firewalls that accepts connections from the Internet over designated ports.

A

demilitarized zones (DMZs)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

This is a zone permitting anonymous access (or perhaps a mix of anonymous and authenticated access) by untrusted hosts over the Internet.

A

Internet/guest

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

A private network that provides some access to outside parties, particularly vendors, partners, and select customers.

A

extranet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

A server typically found in a DMZ that is configured to provide a single service to reduce the possibility of compromise.

A

bastion hosts
Run minimal services to reduce the attack surface as much as possible.
A bastion host would not be configured with any data that could be a security risk to the internal network, such as user account credentials.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Uses two firewalls placed on either side of the DMZ. The edge firewall restricts traffic on the external/public interface and allows permitted traffic to the hosts in the DMZ. The edge firewall can be referred to as the screening firewall or router. The internal firewall filters communications between hosts in the DMZ and hosts on the LAN. This firewall is often described as the choke firewall. A choke point is a purposefully narrow gateway that facilitates better access control and easier monitoring.

A

Screened Subnet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

A DMZ can also be established using one router/firewall appliance with three network interfaces, referred to as triple-homed. One interface is the public one, another is the DMZ, and the third connects to the LAN. Routing and filtering rules determine what forwarding is allowed between these interfaces. This can achieve the same sort of configuration as a screened subnet.

A

Triple-Homed Firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

A dual-homed proxy/gateway server used to provide Internet access to other network nodes, while protecting them from external attack.

A

screened host
The edge firewall can be referred to as the screening firewall or router.
The internal firewall filters communications between hosts in the DMZ and hosts on the LAN.
This firewall is often described as the choke firewall.
A choke point is a purposefully narrow gateway that facilitates better access control and easier monitoring.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Traffic that goes to and from a data center.

A

North-South Traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Design paradigm accounting for the fact that data center traffic between servers is greater than that passing in and out (north-south).

A

East-West Traffic
Traffic within data center

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Security design paradigm where any request (host-to-host or container-to-container) must be authenticated before being allowed.

A

Zero Trust
Zero trust uses systems such as continuous authentication and conditional access to mitigate privilege escalation and account compromise by threat actors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Software that can scan a network and identify hosts, addresses, protocols, network interconnections, and so on.

A

network mapping

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Some transmission media are susceptible to eavesdropping (listening in to communications sent over the media). To secure transmissions, they must be encrypted.

A

eavesdropping

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

A form of eavesdropping where the attacker makes an independent connection between two victims and steals information to use fraudulently. Also referred to as an on-path attack.

A

Man-in-the-Middle (MitM) Attacks
On-Path Attach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

An attack in which an attacker falsifies the factory-assigned MAC address of a device’s network interface.

A

MAC Cloning
MAC Address Spoofing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

A method of manually generating packets (instead of modifying existing network traffic) to test the behavior of network devices, enabling a hacker to enumerate firewall or intrusion detection rules that are in place.

A

Packet Crafting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

The broadcast mechanism by which individual hardware MAC addresses are matched to an IP address on a local network segment.

A

Address Resolution Protocol (ARP)
A host uses the Address Resolution Protocol (ARP) to discover the host on the local segment that owns an IP address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

A network-based attack where an attacker with access to the target local network segment redirects an IP address to the MAC address of a computer that is not the intended recipient. This can be used to perform a variety of attacks, including DoS, spoofing, and Man-in-the-Middle.

A

ARP Poisoning
It is directed at host.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

A variation of an ARP poisoning attack where a switch’s cache table is inundated with frames from random source MAC addresses.

A

MAC Flooding
MAC Flooding is used to attack a switch.
The intention of the attacker is to exhaust the memory used to store the switch’s MAC address table. The switch uses the MAC address table to determine which port to use to forward unicast traffic to its correct destination. Overwhelming the table can cause the switch to stop trying to apply MAC-based forwarding and flood unicast traffic out of all ports, working as a hub. This makes sniffing network traffic easier for the threat actor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

The table on a switch keeping track of MAC addresses associated with each port. As the switch uses a type of memory called Content Addressable Memory (CAM), this is sometimes called the CAM table.

A

MAC Address Table

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

A switching protocol that prevents network loops by dynamically disabling links as needed.

A

Spanning Tree Protocol (STP)
Layer 2 loops are prevented by the Spanning Tree Protocol (STP).
Spanning tree is a means for the bridges to organize themselves into a hierarchy and prevent loops from forming.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Traffic that is recirculated and amplified by loops in a switching topology, causing network slowdowns and crashing switches.

A

Broadcast Storms
STP is principally designed to prevent broadcast storms. Switches forward broadcast, multicast, and unknown unicast traffic out of all ports. If a bridged network contains a loop, broadcast traffic will travel through the network, get amplified by the other switches, and arrive back at the original switch, which will re-broadcast each incoming broadcast frame, causing an exponential increase (the storm), which will rapidly overwhelm the switches and crash the network.

43
Q

Switch port security feature that disables the port if it receives BPDU notifications related to spanning tree. This is configured on access ports where there any BPDU frames are likely to be malicious.

A

BPDU Guard
Bridge Protocol Data Units (BPDUs) are used to communicate information about the topology and are not expected on access ports, so BPDU Guard protects against misconfiguration or a possible malicious attack.

44
Q

Preventing a device attached to a switch port from communicating on the network unless it matches a given MAC address or other protection profile.

A

Port Security

45
Q

Applying an access control list to a switch or access point so that only clients with approved MAC addresses can connect to it.

A

MAC Filtering
Configuring MAC filtering on a switch means defining which MAC addresses are allowed to connect to a particular port.
For example, if port security is enabled with a maximum of two MAC addresses, the switch will record the first two MACs to connect to that port, but then drop any traffic from machines with different MAC addresses that try to connect.
This provides a guard against MAC flooding attacks.

46
Q

The protocol that allows a server to assign IP address information to a client when it connects to the network.

A

DHCP
DHCP is the protocol that allows a server to assign IP address information to a client when it connects to the network.

47
Q

A configuration option that enables a switch to inspect DHCP traffic to prevent MAC spoofing.

A

Dynamic Host Configuration Protocol (DHCP) snooping
Port 67 and 68.
Dynamic ARP inspection (DAI), which can be configured alongside DHCP snooping, prevents a host attached to an untrusted port from flooding the segment with gratuitous ARP replies.
DAI maintains a trusted database of IP:ARP mappings and ensures that ARP packets are validly constructed and use valid IP addresses.

48
Q

Maintains a trusted database of IP:ARP mappings and ensures that ARP packets are validly constructed and use valid IP addresses

A

Dynamic ARP Inspection (DAI)

49
Q

A switch (or router) that performs some sort of authentication of the attached device before activating the port.

A

port-based network access control (PNAC)
The IEEE 802.1X standard defines a port-based network access control (PNAC) mechanism.
PNAC means that the switch uses an AAA server to authenticate the attached device before activating the port.

50
Q

A general term for the collected protocols, policies, and hardware that authenticate and authorize access to a network at the device level.

A

Network Access Control (NAC)

51
Q

The process for verifying compliance with a health policy by using host health checks.

A

Posture Assessment

52
Q

A device that provides a connection between wireless devices and can connect to wired networks.

A

Access Points
The access points forward traffic to and from the wired switched network. Each WAP is identified by its MAC address, also referred to as its basic service set identifier (BSSID). Each wireless network is identified by its name, or service set identifier (SSID).

53
Q

A character string that identifies a particular wireless LAN (WLAN).

A

Service Set Identifier (SSID)

54
Q

Wireless Access Point (WAP) - different types of interference

A

Co-channel interference (CCI)—when two WAPs in close proximity use the same channel, they compete for bandwidth within that channel, as signals collide and have to be re-transmitted.
Adjacent channel interference (ACI)—channels have only ~5 MHz spacing, but Wi-Fi requires 20 MHz of channel space. When the channels selected for WAPs are not cleanly spaced, the interference pattern creates significant numbers of errors and loss of bandwidth. For example, if two access points within range of one another are configured in the 2.4 GHz band with channels 1 and 6, they will not overlap. If a third access point is added using channel 3, it will use part of the spectrum used by both the other WAPs, and all three networks will suffer from interference.

55
Q

A collection of information about a location for the purposes of building an ideal infrastructure; it often contains optimum locations for wireless antenna and access point placement to provide the required coverage for clients and identifying sources of interference.

A

Site Survey

56
Q

In a Wi-Fi site survey, a diagram showing signal strength at different locations.

A

Heat Map

57
Q

A device that provides centralized management and monitoring of wireless LAN management for multiple APs.

A

Wireless Controllers

58
Q

An access point whose firmware contains enough processing logic to be able to function autonomously and handle clients without the use of a wireless controller

A

Fat WAP

59
Q

A wireless controller that requires a wireless controller in order to function.

A

Thin WAP

60
Q

Standards for authenticating and encrypting access to Wi-Fi networks.

A

Wi-Fi Protected Access (WPA)
The first version of Wi-Fi Protected Access (WPA) was designed to fix critical vulnerabilities in the earlier wired equivalent privacy (WEP) standard. Like WEP, version 1 of WPA uses the RC4 stream cipher but adds a mechanism called the Temporal Key Integrity Protocol (TKIP) to make it stronger.

61
Q

A legacy mechanism for encrypting data sent over a wireless connection.

A

wired equivalent privacy (WEP)

62
Q

A mechanism used in the first version of WPA to improve the security of wireless encryption mechanisms, compared to the flawed WEP standard.

A

Temporal Key Integrity Protocol (TKIP)

63
Q

uses the Advanced Encryption Standard (AES) cipher with 128-bit keys, deployed within the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). AES replaces RC4 and CCMP replaces TKIP. CCMP provides authenticated encryption, which is designed to make replay attacks harder.

A

WPA2

64
Q

Personal authentication mechanism for Wi-Fi networks introduced with WPA3 to address vulnerabilities in the WPA-PSK method.

A

Simultaneous Authentication of Equals (SAE)

65
Q

Mode of operation for AES that ensures authenticated encryption.

A

AES Galois Counter Mode Protocol (GCMP)

66
Q

Wi-Fi Authentication types:

A

Personal, Open, and Enterprise
Within the personal category, there are two methods: pre-shared key authentication (PSK) and simultaneous authentication of equals (SAE).

67
Q

Passphrase-based mechanism to allow group authentication to a wireless network. The passphrase is used to derive an encryption key.

A

pre-shared key (PSK)

68
Q

In WPA2, pre-shared key (PSK) authentication uses a passphrase to generate the key that is used to encrypt communications. It is also referred to as group authentication because a group of users share the same secret. When the access point is set to WPA2-PSK mode, the administrator configures a passphrase of between 8 and 63 ASCII characters. This is converted to a 256-bit HMAC (expressed as a 64-character hex value) using the PBKDF2 key stretching algorithm. This HMAC is referred to as the pairwise master key (PMK). The same secret must be configured on the access point and on each node that joins the network. The PMK is used as part of WPA2’s 4-way handshake to derive various session keys.

A

WPA2 Pre-Shared Key Authentication

69
Q

While WPA3 still uses a passphrase to authenticate stations in personal mode, it changes the method by which this secret is used to agree session keys. The scheme used is also referred to as Password Authenticated Key Exchange (PAKE). In WPA3, the Simultaneous Authentication of Equals (SAE) protocol replaces the 4-way handshake, which has been found to be vulnerable to various attacks. SAE uses the Dragonfly handshake, which is basically Diffie-Helllman over elliptic curves key agreement, combined with a hash value derived from the password and device MAC address to authenticate the nodes. With SAE, there should be no way for an attacker to sniff the handshake to obtain the hash value and try to use an offline brute-force or dictionary attack to recover the password. Dragonfly also implements ephemeral session keys, providing forward secrecy.

A

WPA3 Personal Authentication

70
Q

A feature of WPA and WPA2 that allows enrollment in a wireless network based on an 8-digit PIN.

A

Wi-Fi Protected Setup (WPS)

71
Q

A web page or website to which a client is redirected before being granted full network access.

A

captive portal

72
Q

An EAP method that requires server-side and client-side certificates for authentication using SSL/ TLS.

A

EAP-TLS
Extensible Authentication Protocol
EAP-TLS is one of the strongest types of authentication and is very widely supported. An encrypted Transport Layer Security (TLS) tunnel is established between the supplicant and authentication server using public key certificates on the authentication server and supplicant. As both supplicant and server are configured with certificates, this provides mutual authentication. The supplicant will typically provide a certificate using a smart card or a certificate could be installed on the client device, possibly in a Trusted Platform Module (TPM).

73
Q

EAP implementation that uses a server-side certificate to create a secure tunnel for user authentication, referred to as the inner method.

A

Protected Extensible Authentication Protocol (PEAP)
as with EAP-TLS, an encrypted tunnel is established between the supplicant and authentication server, but PEAP only requires a server-side public key certificate. The supplicant does not require a certificate.

74
Q

An EAP method that enables a client and server to establish a secure connection without mandating a client-side certificate.

A

EAP-Tunneled TLS (EAP-TTLS)
EAP-Tunneled TLS (EAP-TTLS) is similar to PEAP. It uses a server-side certificate to establish a protected tunnel through which the user’s authentication credentials can be transmitted to the authentication server. The main distinction from PEAP is that EAP-TTLS can use any inner authentication protocol (PAP or CHAP, for instance), while PEAP must use EAP-MS-CHAPv2 or EAP-GTC.

75
Q

An EAP method that is expected to address the shortcomings of LEAP.

A

EAP with Flexible Authentication via Secure Tunneling (EAP-FAST)
EAP with Flexible Authentication via Secure Tunneling (EAP-FAST) is similar to PEAP, but instead of using a certificate to set up the tunnel, it uses a Protected Access Credential (PAC), which is generated for each user from the authentication server’s master key. The problem with EAP-FAST is in distributing (provisioning) the PAC securely to each user requiring access. The PAC can either be distributed via an out-of-band method or via a server with a digital certificate (but in the latter case, EAP-FAST does not offer much advantage over using PEAP). Alternatively, the PAC can be delivered via anonymous Diffie-Hellman key exchange. The problem here is that there is nothing to authenticate the access point to the user. A rogue access point could obtain enough of the user credential to perform an ASLEAP password cracking attack

76
Q

An access point that has been installed on the network without authorization, whether with malicious intent or not.

A

Rogue Access Point

77
Q

A wireless access point that deceives users into believing that it is a legitimate network access point.

A

Evil Twin
A rogue WAP masquerading as a legitimate one

78
Q

Spoofing frames to disconnect a wireless station to try to obtain authentication data to crack.

A

Disassociation Attack / Deauthentication Attack
Exploits the lack of encryption in management frame traffic to send spoofed frames.

79
Q

A wireless attack where the attacker is able to predict or control the IV of an encryption process, thus giving the attacker access to view the encrypted data that is supposed to be hidden from everyone else except the user or network.

A

IV attacks
exploits the lack of encryption in management frame traffic to send spoofed frames.

80
Q

An attack in which radio waves disrupt 802.11 wireless signals.

A

Jamming Attack
Exploits the lack of encryption in management frame traffic to send spoofed frames.

81
Q

A device that can detect the source of interference on a wireless network.

A

Spectrum Analyzer

82
Q

Any type of physical, application, or network attack that affects the availability of a managed resource.

A

Denial of Service (DoS)

83
Q

An attack that uses multiple compromised hosts (a botnet) to overwhelm a service with request or response traffic.

A

Distributed DoS (DDoS)

84
Q

A DoS attack where the attacker sends numerous SYN requests to a target server, hoping to consume enough resources to prevent the transfer of legitimate traffic.

A

SYN flood attack

85
Q

A network-based attack where the attacker dramatically increases the bandwidth sent to a victim during a DDoS attack by implementing an amplification factor.

A

Amplification Attack

86
Q

This allows a short request to direct a long response at the victim network.

A

DNS amplification attack

87
Q

TCP/IP application protocol allowing machines to synchronize to the same time clock that runs over UDP port 123.

A

Network Time Protocol (NTP)

88
Q

A communications network designed to implement an industrial control system rather than data networking.

A

Operational Technology (OT)

89
Q

DDoS attacks can be diagnosed by traffic spikes that have no legitimate explanation, but can usually only be counteracted by providing high availability services, such as load balancing and cluster services.

A

Blackhole
A blackhole is an area of the network that cannot reach any other part of the network.
Sinkhole
Sinkhole routing so that the traffic flooding a particular IP address is routed to a different network where it can be analyzed.

90
Q

Using a trigger device to send a BGP route update that instructs routers to drop traffic that is suspected of attempting DDoS.

A

remotely triggered blackhole (RTBH)

91
Q

A DoS attack mitigation strategy that directs the traffic that is flooding a target IP address to a different network for analysis.

A

Sinkhole

92
Q

A type of switch or router that distributes client requests between different resources, such as communications links or similarly-configured servers. This provides fault tolerance and improves throughput.

A

Load Balancer
distributes client requests across available server nodes in a farm or pool.
This is used to provision services that can scale from light to heavy loads, and to provide mitigation against DDoS attacks.

93
Q

2 Type of Load Balancer.

A

Layer 4 load balancer—basic load balancers make forwarding decisions on IP address and TCP/UDP port values, working at the transport layer of the OSI model.
Layer 7 load balancer (content switch)—as web applications have become more complex, modern load balancers need to be able to make forwarding decisions based on application-level data, such as a request for a particular URL or data types like video or audio streaming. This requires more complex logic, but the processing power of modern appliances is sufficient to deal with this.

94
Q

The algorithm is the code and metrics that determine which node is selected for processing each incoming request. The simplest type of scheduling is called round robin; this just means picking the next node.

A

scheduling algorithm
Round Robin

95
Q

A scheduling approach used by load balancers to route traffic to devices that have already established connections with the client in question.

A

Session Affinity
A layer 4 approach to handling user sessions. It means that when a client establishes a session, it becomes stuck to the node that first accepted the request.

96
Q

In load balancing, the configuration option that enables a client to maintain a connection with a load-balanced server over the duration of the session. Also referred to as sticky sessions.

A

Persistence

97
Q

A load balancing technique where a group of servers are configured as a unit and work together to provide network services.

A

Clustering
Clustering allows multiple redundant processing nodes that share data with one another to accept connections.

98
Q

A technique that ensures a redundant component, device, or application can quickly and efficiently take over the functionality of an asset that has failed.

A

failover

99
Q

Systems that differentiate data passing over the network that can reserve bandwidth for particular applications. A system that cannot guarantee a level of available bandwidth is often described as Class of Service (CoS).

A

Quality of Service (QoS)

100
Q

The time it takes for a signal to reach the recipient. A video application can support a latency of about 80 ms, while typical latency on the Internet can reach 1000 ms at peak times. Latency is a particular problem for 2-way applications, such as VoIP (telephone) and online conferencing.

A

Latency

101
Q

A variation in the time it takes for a signal to reach the recipient.

A

Jitter
Jitter manifests itself as an inconsistent rate of packet delivery. If packet loss or delay is excessive, then noticeable audio or video problems (artifacts) are experienced by users.

102
Q

The protocol that allows a server to assign IP address information to a client when it connects to the network.

A

DHCP

103
Q

A DMZ can also be established using one router/firewall appliance with three network interfaces, referred to as triple-homed. One interface is the public one, another is the DMZ, and the third connects to the LAN. Routing and filtering rules determine what forwarding is allowed between these interfaces. This can achieve the same sort of configuration as a screened subnet.

A