N10-009-Section_1 Flashcards

Question

TCP Offload

Answer 1

Refers to the load balancing of TCP related tasks. A Load Balancer can distribute TCP tasks to a certain server allowing the other servers to handle the rest of the data

Answer 2

Refers to the load balancing of SSL related tasks. A Load Balancer can distribute TCP tasks to a certain server allowing the other servers to handle the rest of the data

Answer 3

A Load balancer can distribute traffic among several servers. It can also perform tasks like TCP and SSL offloading to take those tasks away from the servers themselves. Can also provide Caching so requests don�t always have to go to the servers, and traffic prioritization. Content Switching, application-centric balancing, certain requests always go to certain servers.

Answer 4

Device or software that runs on a server that acts as an intermediary between 2 other parts of a network - provides caching, content filtering, access control, acts sort of like a firewall. Proxy Servers are application specific, Web Proxy, FTP proxy, VOIP proxy

Answer 5

Forward proxy will take requests or data from a client and forward it out - Clients are aware of the proxy. Clients will need to be configured to use the proxy - Hides the Client

Answer 6

Is in-line between clients and the internet so there is no configuration, clients have to go through the proxy to get out

Answer 7

Proxy server represents the web server and not the client - used to protect the server from malicious actors - Can balance the load for high volume sites - protect against DoS attacks - Hides the server

Answer 8

Network Attached Storage - file level storage

Answer 9

Storage Area Network - Block level storage - big brother of NAS

Answer 10

A switch or some software that allows you to configure all of your Access Points at once

Answer 11

Content Delivery Network. A server that can cache large amounts of data so that users don�t have to stream data from across the world, the just stream from the closest CDN

Answer 12

An Encrypted Tunnel to a proxy server. VPNs use a Concentrator or Head-end for clients to connect to.

Answer 13

A dedicated device that acts as an endpoint for the network. Performs high-speed encryption/decryption

Answer 14

Quality of Service. Traffic Shaping or Packet Shaping, can prioritize and control traffic

Answer 15

Time To Live. A way to stop a task if its taking too long or in danger of causing a loop. Could be applied to cached materials. TTL is measured in hops, each router the packet passes through will decrease the TTL by 1

Answer 16

Can happen especially with static routes. TTL can help to prevent this.

Answer 17

Cloud. Can scale up or down as needed very quickly

Answer 18

Cloud. Many different clients are using the same cloud infrastructure

Answer 19

Network Function Virtualization. The virtualization of network hardware

Answer 20

Virtual Private Cloud - Your own little cloud, router/firewall, switch that all connect to the internet. You can use a VPN to connect to a VPC for more security

Answer 21

VPCs are connected with a Transit Gateway. A "cloud router"

Answer 22

A VPC gateway will connect your VPC to external networks or can facilitate communication between components inside the VPC. Two common Types of VPC Gateways are Internet Gatway (IGW, connects your VPC to the public internet) and Virtual Private Gateway (VGW, connects your VPC to an external private network like an on-prem data center)

Answer 23

Allows VPCs to connect to the internet without exposing them to inbound internet traffic. Outbound traffic only.

Answer 24

Direct connected between cloud provider networks. AWS to some other cloud provider.

Answer 25

VPC. Network Security List. Rules that can control access to VPCs based on protocols and ports. Lists are applied to all VPCs on all subnets. They are very broad and can become difficult to manage.

Answer 26

VPC. Network Security Group. Gives more granularity than a Network Security List. You can apply access control rules to a specific VNIC.

Answer 27

Just within my organization. Apps or resources just in your org

Answer 28

Azure - anyone who wants to join can. An app that you want other people outside of your org to access and use

Answer 29

Little bit of public and private - some of the cloud is segregated as private and other parts are public. Often times a large org with a lot of resources can sell out unused resources of their org

Answer 30

A bunch of smaller orgs can join up and create a cloud as clouds are expensive

Answer 31

Infrastructure as a service (AWS) - Servers, Firewalls, virtualized. Sometimes called HaaS, Hardware as a Service

Answer 32

Platform as a service - For developers - Servers/Backups are all created, all that's left is for the developer to build an app

Answer 33

Software as a service (O365), no local installation

Answer 34

Desktop as a service - end user workstations are in the cloud and can be accessed with a thin client - Servers are in the cloud

Answer 35

Transmission Control Protocol / Internet Protocol - Developed in the 1960s by the US Department of Defence's (Dod) Advanced Research Projects Agency (ARPA)

Answer 36

0-1023, these port numbers are reserved for common services

Answer 37

1024-65535. Free for use

Answer 38

Internet Control Message Protocol - Works on the Internet layer of the TCP/IP model. No Port numbers in ICMP. Really isn't any data - Ping is ICMP, doesn�t really send data, just want to check if someone is there and responding. ARP is also ICMP.

Answer 39

GRE (Generic Routing Encapsulation) is a tunneling protocol used in computer networks to encapsulate a wide variety of network layer protocols into point-to-point connections. GRE allows for the creation of virtual tunnels between devices, enabling them to transport packets of data from one network to another over an intermediary network, such as the Internet.

Answer 40

Takes two networks and connects them with a VPN. Almost always on.

Answer 41

IPSec (Internet Protocol Security) is a suite of protocols designed to secure IP communications by authenticating and encrypting each IP packet in a communication session. IPSec operates at the network layer of the OSI model, which means it can secure any application that uses IP, regardless of the application protocol.

Answer 42

AH (Authentication Header) is one of the two main protocols used in IPSec (Internet Protocol Security) to provide security services, specifically focusing on data integrity, authentication, and anti-replay protection. While AH ensures the authenticity and integrity of the data, it does not provide encryption of the payload. This means that while AH secures the header and data integrity, the data itself is still transmitted in plaintext.

Answer 43

ESP (Encapsulating Security Payload) is one of the two main protocols used in IPSec (Internet Protocol Security) to secure IP communications. Unlike AH (Authentication Header), which only provides authentication and integrity, ESP provides confidentiality (encryption), data integrity, authentication, and anti-replay protection. ESP Encrypts the packet.

Answer 44

IKE (Internet Key Exchange) is a protocol used in IPSec to securely establish shared security associations (SAs) between two parties, such as routers, firewalls, or VPN gateways. IKE is responsible for negotiating and setting up the keys and security parameters used for encrypted communication. It allows the two peers to authenticate each other and securely exchange cryptographic keys for the IPSec protocol to use.

Answer 45

Uses Diffie-Hellman Key Exchange to create a shared secret key. UDP/500. This process is referred to as ISAKMP (Internet Security Association and Key Management Protocol). Asymmetric Encryption is used to create a shared Symmetric Key. At this point you have a secure symmetric key that can be used for fast encryption/decryption.

Answer 46

Diffie-Hellman Key Exchange. Used in Phase 1 of IKE, each side creates a private key and derives a public key from it. The public keys are exchanged. Each side then takes their own private key and the public key from the other side and creates a 3rd key known as the Diffie-Hellman key. Each side will have generated the same DH key. This DH key is used to then exchange key material and agreements. Each key then generates a 4th key (a symmetrical key) from the DH key, and this key is used to encrypt everything passing through the Phase 1 tunnel.

Answer 47

Coordinates ciphers and key sizes for the encryption. Negotiation of an inbound and outbound SA for IPSec. Phase 2 starts out with each side having a DH key, and the same symmetric key that has never been transmitted, and the phase 1 tunnel. With these keys, each side can negotiate a common cipher between the two. Then a 5th key (IPSEC key, symmetrical key) is created. This key is what is used to encrypt the bulk of the data.

Answer 48

A mode of an IPSEC VPN connection. Ipsec header is inserted into the IP packet before the IP header. The data is still encrypted but the IP header is not.

Answer 49

A mode of an IPSEC VPN connection. More secure than Transport Mode, there is a new IP header that is encrypted placed in front of the Ipsec header that is placed in front of the entire IP packet. Most implementations of IPSEC will use Tunnel Mode

Answer 50

As opposed to multicast, anycast is one-to-one-of-many (multicast is one-to-many-of-many). Multiple devices are setup to receive the anycast, but the anycast data is sent to whoever is closest or whoever it can reach first.

Answer 51

Global System for Mobile Communications - relies on TDMA - Oldest cellular technology

Answer 52

TDMA (Time Division Multiple Access) is a channel access method used in digital communication systems to allow multiple users or devices to share the same frequency channel by dividing the signal into time slots. Each user or device is allocated a specific time slot to transmit their data, enabling multiple users to use the same frequency band without interference.

Answer 53

EDGE (Enhanced Data Rates for GSM Evolution) is a mobile data technology that is an enhancement to the existing GSM (Global System for Mobile Communications) network, offering higher data transmission speeds and improved performance for mobile broadband services. EDGE is often referred to as 2.75G because it sits between 2G (GSM) and 3G (UMTS) technologies.

Answer 54

CDMA (Code Division Multiple Access) is a digital cellular technology used in mobile communication systems that allows multiple users to share the same frequency spectrum by assigning unique codes to each user's data. Unlike other technologies like TDMA (Time Division Multiple Access) or FDMA (Frequency Division Multiple Access), CDMA enables users to transmit simultaneously over the same frequency channel, but each transmission is differentiated by its unique code.

Answer 55

Long Term Evolution - is a 4G technology. 150mbps

Answer 56

Long Term Evolution Advanced - 300mbps

Answer 57

5th Generation - runs on three bands, low, medium, and high - Higher the frequency the faster the speeds. Max 10gbps throughput

Answer 58

SFP (Small Form-factor Pluggable) is a compact, hot-pluggable transceiver module used for fiber optic and copper connections in networking equipment, such as switches, routers, and network interface cards (NICs). SFP supports speeds for 1Gbps. SFP modules allow for flexible and customizable network connections, as they can be easily replaced or upgraded to support different transmission speeds, distances, and types of media (fiber or copper).

Answer 59

SFP+ (Small Form-factor Pluggable Plus) is a compact, hot-pluggable transceiver module used for fiber optic and copper connections in networking equipment, such as switches, routers, and network interface cards (NICs). SFP supports speeds for 16Gbps. Commonly used for 10G Ethernet.

Answer 60

QSFP (Quad Small Form-factor Pluggable) is a type of high-speed transceiver used in networking equipment to support data transmission over optical or copper cables. Its 4x SFP+ modules. 40Gbps

Answer 61

Mesh, Star (hub and spoke), Bus, Ring, Hybrid

Answer 62

Every host is connected to every other host. Mesh creates fault tolerance

Answer 63

Multiple hosts that connects to a central box (hub or switch etc)

Answer 64

Oldest, all hosts are connected by a single trunk cable. If the cable breaks everything goes down.

Answer 65

Hosts connected in a ring. Frames with travel around the ring to get to the destination. Trouble only happens if there is a break between adjacent hosts.

Answer 66

Combined topologies, most popular is Star-Bus (a switch)

Answer 67

A series of switches labeled as spine and leaf. Each spine switch connects to each leaf, and vise versa. The leaves connect to the servers or infrastructure. The spines do not connect directly to each other and neither to the leaves. Use a lot in data-centers for top-of-rack switching.

Answer 68

A kind of network architecture. Core, Distribution/Aggregation, and Access/Edge

Answer 69

Core Layer - The meat of your org. Databases, web servers, applications, stuff everyone needs access to. Core routers.

Answer 70

Distribution/Aggregation Layer - The midpoint between the core and the users. Switches that manage the paths to the end users.

Answer 71

Access/Edge layer - The workstations, printers, wherever the users connect

Answer 72

Smaller than 3 tier, combines the core and distribution layer. For smaller orgs

Answer 73

North, South, East, West - North = traffic up to the core and out through the ISP. East/West = traffic going from server to server. South = traffic coming down from the core to the servers

Answer 74

Allows multiple devices to use a single public IP address. To conserve public IP addresses. Devices are assigned a private address from the NAT device.

Answer 75

RFC 1918 (Request for Comments 1918) is a standard published by the Internet Engineering Task Force (IETF) that defines private IP address ranges for use within private networks. These address ranges are reserved for use in local area networks (LANs) and are not routable on the public internet. The purpose of RFC 1918 is to conserve the limited pool of public IPv4 addresses by allowing private addresses to be used within internal networks without the need for public IP addresses.

Answer 76

VLSM (Variable Length Subnet Mask) is a subnetting technique used in IP networking that allows the division of an IP address space into subnets of different sizes, rather than using a fixed subnet size. This enables more efficient use of IP address space by tailoring the subnet mask to match the number of required hosts in each subnet.

Answer 77

SDN - The Management Plane is responsible for the administration, configuration, monitoring, and management of a network device. It handles interactions between network administrators and the device and is usually accessed through various management interfaces.

Answer 78

SDN - The Control Plane is responsible for making decisions about where and how data packets should be forwarded. It�s the �brains� of the device, determining the best paths for data and updating routing tables or forwarding information bases (FIBs) accordingly.

Answer 79

SDN - The Data Plane (also known as the Forwarding Plane) is responsible for the actual forwarding of data packets based on the decisions made by the control plane. It�s the �muscle� of the network device, handling the high-speed movement of data through the network. Trunking, Encrypting, NAT

Answer 80

Software-Defined Networking (SDN) is an approach to network management that enables network administrators to manage, configure, and optimize network resources through software-based controllers rather than traditional hardware-centric configurations. SDN separates the control plane (the decision-making component) from the data plane (the part that actually moves packets through the network), which allows for centralized control and a high degree of flexibility.

Answer 81

Specializes in the optimization of wide-area networks (WANs), particularly for connecting branch offices, data centers, and cloud environments. Uses software to manage network traffic dynamically over multiple WAN connections (e.g., MPLS, broadband, LTE). SD-WAN is the use of SDN over multiple WANs to connect brand offices of larger organizations. SD-WANs know what application is in use and knows where on the cloud to send traffic for it. Transport agnostic, SD-WAN will handle any medium of connection (Coax, DSL, Fiber)

Answer 82

Zero-touch Provisioning - SD-WAN/SDN - Remote equipment is automatically configured by a controller/server when it joins the network

Answer 83

Virtual Extensible LAN - Technology that was designed to connect services at different data centers together and deal with differences between those datacenters like IP address schemas and encapsulation of data while it travels between sites.

Answer 84

DCI (Data Center Interconnect) using VXLAN (Virtual Extensible LAN) refers to the use of VXLAN technology to connect or interconnect multiple data centers, enabling them to operate as a single unified network. This approach allows organizations to extend their Layer 2 networks over a Layer 3 infrastructure, which is essential for creating a highly scalable, flexible, and efficient network architecture between geographically dispersed data centers.

Answer 85

Layer 2 Encapsulation in VXLAN (Virtual Extensible LAN) refers to the process of encapsulating Layer 2 Ethernet frames inside Layer 3 UDP packets. This encapsulation is crucial for creating overlay networks in a VXLAN architecture, enabling Layer 2 communication over a Layer 3 IP infrastructure. By using this encapsulation technique, VXLAN provides network virtualization and allows data centers or remote sites to connect their Layer 2 networks, even if the underlying physical infrastructure is based on Layer 3.

Answer 86

ZTA (Zero Trust Architecture) is a security framework that assumes no implicit trust for any user, device, or system�whether inside or outside the network perimeter. In a Zero Trust Architecture, trust is never assumed; instead, it is continuously verified and validated, often through a combination of user authentication, device verification, and access policies. The principle of ZTA is based on the idea of "never trust, always verify."

Answer 87

Policy-Based Authentication in the context of Zero Trust Architecture (ZTA) refers to the use of dynamic, context-driven policies to determine whether an entity (such as a user, device, or application) should be authenticated and granted access to network resources. In ZTA, authentication is not a one-time process; it�s an ongoing, continuous verification based on predefined policies that account for various factors like user identity, device security posture, location, and behavior. Time of day could be a factor for authentication as well.

Answer 88

Part of a Policy Based Authentication. Looks at whos trying to authenticate to the network, where they are at the time of auth, type of connection, IP address. Uses all of that together to determine the level of authentication

Answer 89

Authorization in Zero Trust Architecture (ZTA) refers to the process of determining what resources and actions a user, device, or application is allowed to access after successful authentication. In a Zero Trust model, authorization is based on granular, policy-driven rules that evaluate multiple factors, such as the user's identity, device health, location, and behavior, to enforce least-privilege access to resources.

Answer 90

SASE (Secure Access Service Edge) (A next gen VPN) is a cloud-based security architecture that combines networking and security services into a unified, integrated model. SASE delivers a comprehensive suite of capabilities to support modern, distributed workforces, remote access, and secure connections for users, devices, and applications, regardless of their location. The goal of SASE is to enable secure and optimized access to applications and data while simplifying the management of networking and security infrastructure.

Answer 91

SSE (Security Service Edge) is a subset of the SASE (Secure Access Service Edge) framework, focusing primarily on delivering cloud-based security services without the networking components (like SD-WAN). SSE focuses on providing essential security capabilities that protect users, devices, and applications while they access corporate data and resources, especially as the workforce becomes increasingly distributed.

Answer 92

Infrastructure as Code is the practice of managing and provisioning computing infrastructure through machine-readable scripts rather than through manual configuration. IaC treats infrastructure setup (e.g., creating servers, networking, storage) as code, which is then version-controlled, tested, and executed just like application code.

Answer 93

Playbooks, templates, and reusable tasks are key components of Automation in Infrastructure as Code (IaC), and they help streamline the process of defining and managing infrastructure. These components enable the automation of infrastructure provisioning, configuration, and management tasks, making it easier to implement and maintain consistent environments. Can use to recover from ransomware, or investigate a data breach

Answer 94

Security, Orchestration, Automation, and Response. Part of IaC. A management consol that allows management and monitoring of playbooks

Answer 95

Configuration Drift and Compliance in the context of Infrastructure as Code (IaC) refer to the challenges and practices associated with maintaining consistency and ensuring that infrastructure configurations adhere to predefined standards, even as environments evolve over time. IaC can help prevent configuration drift by applying a standardized config across the board

Answer 96

Automation in Infrastructure as Code (IaC) refers to the practice of managing and provisioning IT infrastructure (like servers, networks, databases, and more) through automated scripts or code, rather than manually configuring hardware and software. IaC enables teams to define their infrastructure using machine-readable configuration files that can be versioned, reused, and managed just like application code. Automation in IaC improves consistency, reduces human error, and accelerates the deployment process.

Answer 97

Upgrades in the context of Automation (IaC) refer to the process of automating the updating and patching of infrastructure, applications, and configurations to ensure that the systems remain secure, efficient, and up-to-date. This can involve updating software versions, applying security patches, scaling resources, or making other changes to keep the infrastructure in line with the evolving requirements of the organization.

Answer 98

Dynamic Inventories in the context of Automation (IaC) refer to the capability of automatically generating and maintaining a list of infrastructure components (e.g., servers, virtual machines, network devices) that are part of the environment, without having to manually define them. These inventories are usually created in real-time based on the current state of the infrastructure, which can be crucial for scaling, managing, and automating complex environments.

Answer 99

Source Control (Version Control) in the context of Infrastructure as Code (IaC) is the practice of using version control systems (VCS) like Git to track and manage changes to IaC scripts, configuration files, and templates over time. Just like software code, infrastructure code (e.g., Terraform configurations, Ansible playbooks, CloudFormation templates) is stored in source control repositories, enabling teams to collaborate, version, and audit infrastructure changes effectively.

Answer 100

Version Control in the context of Source Control (IaC) is a fundamental practice that involves managing changes to Infrastructure as Code (IaC) configurations over time. Version control systems (VCS) like Git, Mercurial, or Subversion are used to track, manage, and organize the changes made to IaC scripts, templates, and configuration files. This allows teams to maintain a clear history of infrastructure changes, collaborate efficiently, and ensure that configurations are reproducible and auditable.

Answer 101

A Central Repository in the context of Source Control (IaC) refers to a centralized version-controlled storage location where all Infrastructure as Code (IaC) files, scripts, templates, and configurations are stored. This repository serves as the single source of truth for infrastructure definitions and provides a central point for collaboration, versioning, and management of the code that automates the provisioning and management of infrastructure.

Answer 102

Conflict Identification in the context of Source Control (IaC) refers to the process of detecting and resolving conflicts that arise when multiple team members make changes to the same infrastructure code or configuration files. These conflicts can occur when two or more contributors modify the same lines of code or sections of infrastructure definitions (e.g., Terraform, Ansible, or CloudFormation templates) in incompatible ways.

Answer 103

Branching in the context of Source Control (IaC) refers to the practice of creating separate lines of development within a version control system (e.g., Git) to work on different features, changes, or versions of Infrastructure as Code (IaC) independently. Branching allows teams to develop and test changes in isolation without affecting the main or production codebase, enabling collaborative work on infrastructure configurations and allowing safer rollouts of infrastructure updates.

Answer 104

One protocol can be encapsulated within another so that devices that can't handle IPv6 can still be reached.

Answer 105

When a device can use both IPv4 and IPv6 at the same time. Interfaces are assigned both an IPv4 and IPv6 address and can use either one dynamically.

Answer 106

NAT that translates IPv4 and IPv6. Requires a specialized router in the middle to translate. Uses a specialized DNS server called DNS64

Answer 107

A special DNS server that can translate IPv6 DNS requests to IPv4 by reaching out to a traditional IPv4 DNS server, it will then translate the response and forward it on to the IPv6 device that made the request.

Answer 108

To send IPv6 over an existing IPv4 network. Creates an IPv6 Address based on the IPv4 address. Requires Relay routers, no NAT support, No longer available on Windows. Pretty old stuff, not really used anymore

Answer 109

Tunnel IPv4 on an IPv6 network. Old, not found much any more

N10-009-Section_1 Flashcards

(133 cards)