Network+ Flashcards
Layer 1 - Physical:
Receives the frames and data and sends them via the local media (copper wires, fiber-optic cables, etc.) to the switches, routers, etc., along the network path.
Layer 2 - Data link:
- Receives the packets and adds physical addressing by adding sender and receiver MAC addresses to each data packet.
- This information forms a unit called a frame.
Layer 3 - Network:
The routing layer (IP addresses, routers, packets).
Layer 4 - Transport:
The functions defined in this layer provide for the reliable transmission of data segments, as well as the disassembly and assembly of the data before and after transmission.
Layer 5 - Session:
- Establishes, manages, and terminates sessions between two communicating hosts.
- Synchronizes dialog between the presentation layers of the two hosts and manages their data exchange.
Layer 6 - Presentation:
- Ensures that info sent at application layer of one system is readable by the application layer of another system.
- May translate between multiple data formats by using a common format.
Layer 7 - Application:
- Closest to the user.
- Provides network services to the applications of the user, such as email, file transfer, and terminal emulation.
Router:
A device that forwards data packets between computer networks.
Switch:
A computer networking device that connects network segments.
Firewall:
A part of a computer system or network that is designed to block unauthorized access while permitting outward communication.
Intrusion detection system (IDS):
Monitors network traffic to identify possible malicious activity and log information about it.
Intrusion prevention system (IPS):
Sits behind the firewall and uses anomaly detection or signature-based detection to identify and respond to network threats.
Load Balancer:
Hardware or software that balances the load between two or more servers.
Proxy:
A system or router that provides a gateway between users and the internet.
Network-attached storage (NAS):
A server that is placed on a network with the sole purpose of providing storage to users, computers, and devices attached to the network.
Storage area network (SAN):
A high-speed network with the sole purpose of providing storage to other attached servers.
Wireless Access point (AP):
A device that enables wireless systems to communicate with each other, provided that they are on the same network.
Wireless Controller:
A central management console for all of the APs on a network.
Content delivery network (CDN):
- An information system that serves content to Web pages over the Internet.
- To reduce wait time, data is typically stored and served from many geographic locations.
Virtual private network (VPN):
A private data network that creates secure connections, or “tunnels,” over regular Internet lines.
Quality of service (QoS):
Policies that control how much bandwidth a protocol, PC, user, VLAN, or IP address may use.
Time to live (TTL):
The maximum amount of time a packet is allowed to circulate through a network before it is destroyed.
Network functions virtualization (NFV):
Provisioning virtual network appliances, such as switches, routers, and firewalls, via VMs and containers.
Virtual private cloud (VPC):
A private network segment made available to a single cloud consumer within a public cloud.
Network security groups:
Allows you to filter network traffic. Can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources.
Network security lists:
Consists of a set of ingress and egress security rules that apply to all the VNICs in any subnet that the list is associated with.
Internet gateway:
A device or node that connects networks by translating protocols.
Network address translation (NAT) gateway:
You can use this so that instances in a private subnet can connect to services outside your VPC, but external services cannot initiate a connection with those instances.
Public cloud:
Provides cloud services to just about anyone.
Private cloud:
Serves only one customer or organization and can be located on the customer’s premises or off the customer’s premises.
Hybrid cloud:
A mixed computing environment where applications are run using a combination of computing, storage, and services in different environments.
Software as a service (SaaS):
A form of cloud computing where a firm subscribes to a third-party software and receives a service that is delivered online.
Infrastructure as a service (IaaS):
Delivers hardware networking capabilities, including the use of servers, networking, and storage, over the cloud using a pay-per-use revenue model.
Platform as a service (PaaS):
Supports the deployment of entire systems including hardware, networking, and applications using a pay-per-use revenue model.
Scalability:
Refers to how well a system can adapt to increased demands.
Elasticity:
Refers to the ability of a cloud to automatically expand or compress the infrastructural resources on a sudden up and down.
Multitenancy:
A single instance of a system serves multiple customers.
Internet Control Message Protocol (ICMP):
- An IP network protocol used to determine if a particular service or host is available.
Transmission Control Protocol (TCP):
A protocol for sending packets that does error-checking to ensure all packets are received and properly ordered.
User Datagram Protocol (UDP):
A protocol for sending packets quickly with minimal error-checking and no resending of dropped packets.
Generic Routing Encapsulation (GRE):
Method of encapsulation of IP packet in a GRE header which hides the original IP packet.
Internet Protocol Security (IPSec):
A set of protocols developed to support the secure exchange of packets between hosts or networks.
Authentication Header (AH):
An IPsec protocol that authenticates that packets received were sent from the source identified in the header of the packet.
Encapsulating Security Payload (ESP):
An IPsec protocol that provides authentication, integrity, and encryption services.
Internet Key Exchange (IKE):
Method used by IPSec to create a secure tunnel by encrypting the connection between authenticated peers.
Unicast:
A form of message delivery in which a message is delivered to a single destination.
Multicast:
A form of transmission in which a message is delivered to a group of hosts.
Anycast:
A network addressing and routing method in which incoming requests can be routed to a variety of different locations or “nodes.”
Broadcast:
Used to transmit a message to any reachable destination in the network without the need to know any information about the receiving party.
Frequency bands used by 802.11 networks include:
- 5.0 GHz.
- 2.4 GHz.
IEEE 802.11a wireless standard:
- 5.0 GHz frequency band.
- Maximum data signaling rate of 54 Mbps.
IEEE 802.11b wireless standard:
- 2.4 GHz frequency range.
- Maximum data signaling rate of 11 Mbps.
IEEE 802.11g wireless standard:
- 2.4 GHz frequency range.
- Maximum data signaling rate of 54 Mbps.
IEEE 802.11n wireless standard:
- 2.4 GHz frequency band.
- 5.0 GHz frequency band.
- Maximum data signaling rate of up to 600 Mbps.
- Multiple Input / Multiple Output (MIMO).
IEEE 802.11ac (WiFi 5) wireless standard:
- 5.0 GHz frequency band.
- Maximum data signaling rate of up to 6.933 Gbps.
- Multi-User Multiple Input / Multiple Output (MU-MIMO).
IEEE 802.11ax (WiFi 6) wireless standard:
- 2.4 GHz frequency band.
- 5.0 GHz frequency band.
- Maximum data signaling rate of up to 9.607 Gbps.
- Multi-User Multiple Input / Multiple Output (MU-MIMO).
Refers to directional antenna types suitable for long-range point-to-point bridging links?
- Yagi antenna.
- Dish antenna.
- Parabolic antenna.
Cellular:
- Radio network distributed over land through cells where each cell includes a fixed location transceiver known as base station.
- These cells together provide radio coverage over larger geographical areas.
IEEE 802.3af:
PoE (Power over Ethernet).
IEEE 802.3at:
PoE+.
IEEE 802.3bt:
- PoE++.
- 4PPoE.
Single-mode Fiber (SMF):
- Uses lasers.
- Longer distance and smaller diameter.
- Used in telecom and CATV networks.
Multimode fiber (MMF):
- Uses LEDs.
- Shorter distance and wider diameter.
- Used in LAN, security systems, and CCTV.
Direct attach copper (DAC) cable:
Allows direct communication between devices over copper wire.
Twinaxial cable:
A variant of coaxial cables, which features two inner conductors instead of one and is used for very-short-range high-speed signals.
Coaxial cable:
Insulated copper wire; used to carry high-speed data traffic and television signals.
Plenum vs. Non-Plenum Cables:
- Plenum cables are engineered with fire-retardant materials, emitting minimal smoke and toxic fumes in case of fire.
- Non-plenum cables often come at a lower cost than plenum cables.
Ethernet:
A physical and data layer technology for LAN networking.
Protocol:
A set of rules governing the exchange or transmission of data between devices.
Fibre Channel (FC):
- A high-speed data transfer protocol providing in-order, lossless delivery of raw block data.
- Primarily used to connect computer data storage to servers in storage area networks (SAN) in commercial data centers.
Small form-factor pluggable (SFP):
Fiber optic transceiver module type supporting duplex 1 Gbps (SFP) or 10 Gbps (SFP+) links.
Quad small form-factor pluggable (QSFP):
- Small, high-density pluggable interface used for high-speed data transmission.
- It connects between network devices and fiber optic or copper cables, providing multiple channels for simultaneous data transmission.
Local Connector (LC):
Fiber-optic cable connector that corresponds to the mini form-factor standard.
Subscriber connector (SC):
Push/pull connector used with fiber optic cabling.
Straight tip (ST):
Bayonet-style twist-and-lock connector for fiber optic cabling.
Multi-fiber push on (MPO):
Accommodates multiple fibers in a single physical connector interface.
Registered jack (RJ) 11:
Connector wired for one telephone line.
RJ45:
A common connector or plug used on the end of the network cable.
F-type:
Used with Coaxial Cabling.
Mesh Topology:
Every computer connects to every other computer; no central connecting device is needed.
Hybrid Topology:
A physical topology that combines characteristics of more than one simple physical topology.
Star/hub and spoke:
A network topology where all devices are connected to a central hub or switch, which manages the data flow between them.
Spine and leaf:
A newer network topology that consists of just two layers.
Point to point:
A data transmission that involves one transmitter and one receiver.
Three-Tier Hierarchical Model:
- Access layer: Provides access points for hosts to connect to the network.
- Distribution layer: Acts as an intermediary between the Core Layer and the Access Layer, and keeps local traffic confined to local networks.
- Core layer: Handles and transports huge amounts of data quickly and reliably and connects multiple end networks together.
Collapsed core:
A network design where the core and distribution layers are collapsed or combined into a single layer of switches.
North-south traffic flow:
Data transmission pattern that describes data flow between local network endpoints and external networks and services, such as the World Wide Web, cloud services, etc.
East-west traffic flow:
Transfer of data packets from server to server within a data center.
Automatic Private IP Addressing (APIPA):
A networking feature in operating systems that enables DHCP clients to self-configure an IP address and subnet mask automatically when a DHCP server isn’t available.
RFC1918:
Defined the 3 ranges of private IPv4 Addresses:
- 10.0.0.0 - 10.255.255.255 /8
- 172.16.0.0 - 172.31.255.255 /16
- 192.168.0.0 - 192.168.255.255 /32
Loopback/localhost:
- Used to test the IP stack on the local computer.
- Can be any address from 127.0.0.1 through 127.255.255.254.
Public vs. private network:
- Public networks are “open” access networks prioritizing accessibility and availability over network performance and security.
- Private networks are “closed” and secure networks prioritizing network safety, confidentiality, and performance over accessibility and ease of use.
Subnetting:
The act of dividing a network into smaller logical subnetworks.
Variable Length Subnet Mask (VLSM):
- The capability to specify a different subnet mask for the same Class A, B, or C network number on different subnets.
- VLSM can help optimize available address space.
Classless Inter-domain Routing (CIDR):
- Allows network administrators to expand the number of network nodes assigned to an IP address.
- Based on the idea that IP addresses can be allocated and routed based on their network prefix rather than their class.
Class A IPv4:
1.x.x.x to 126.x.x.x
Class B IPv4:
128.x.x.x - 191.x.x.x
Class C IPv4:
192.x.x.x - 223.x.x.x
Class D IPv4:
224.x.x.x - 239.x.x.x
Class E IPv4:
240.x.x.x - 255.x.x.x
Software-defined network (SDN):
The entire network, including all security devices, is virtualized.
Software-defined wide area network (SD-WAN):
An extension of the SDN practices to connect to entities spread across the internet to support WAN architecture especially related to cloud migration.
Application aware:
Refers to systems or technologies that have built-in information about individual applications, allowing them to better interact with these applications.
Transport agnostic:
A software component is unaware regarding the specific nature of the components or input with which it interacts.
Zero-touch provisioning:
- Mechanism which allows unconfigured devices to automatically load deployment files upon power-on, including system software, patch and configuration files.
- Eliminates the need for onsite, manual configuration and deployment.
Central policy management:
Practice of managing access policies from a single, centralized location.
Virtual Extensible Local Area Network (VXLAN):
The technology used in creating this tunnel between nodes on an SDN computer network.
Data center interconnect (DCI):
Technology that connects two or more data centers together over short, medium, or long distances using high-speed packet-optical connectivity.
Layer 2 encapsulation:
The encapsulation or framing of data for transmission over the physical medium.
Zero trust architecture (ZTA):
An approach to access control in IT networks that does not rely on trusting devices or network connections; rather, it relies on mutual authentication to verify the identity and integrity of devices, regardless of their location.
Policy-based authentication:
Security model in ASP.NET Core that decouples authorization and application logic. It centers around three main concepts: policies, requirements, and handlers.
Authorization:
The process of giving someone permission to do or have something.
Least privilege access:
User is only given access needed to perform job.
Secure Access Service Edge (SASE):
A new type of network architecture that combines both network security and wide area network (WAN) capabilities into a single solution.
Security Service Edge (SSE):
A collection of integrated, cloud-centric security capabilities that facilitates safe access to websites, software-as-a-service (SaaS) applications and private applications.
Infrastructure as code (IaC):
- A provisioning architecture in which deployment of resources is performed by scripted automation and orchestration.
- Automation and source control.
Automation:
- Playbooks/templates/ reusable tasks.
- Configuration drift/compliance.
- Upgrades.
- Dynamic inventories.
Source control:
- Version control.
- Central repository.
- Conflict identification.
- Branching.
IPv6 addressing:
- 128 bit address written in hexadecimal.
- 8 octets.
Tunneling:
A data transport technique in which a data packet is transferred inside the frame or packet of another protocol, enabling the infrastructure of one network to be used to travel to another network.
Dual stack:
A type of network that supports both IPv4 and IPv6 traffic.
NAT64:
Together with DNS64, the primary purpose of NAT64 is to allow an IPv6-only client to initiate communications to an IPv4-only server.
Static Routing:
An type of routing used by a network administrator to manually specify the mappings in the routing table.
Dynamic Routing:
Allows a router to determine the best route between two nodes automatically and then store this information in a routing table.
Border Gateway Protocol (BGP):
The postal service of the Internet. When someone drops a letter into a mailbox, the Postal Service processes that piece of mail and chooses a fast, efficient route to deliver that letter to its recipient.
Enhanced Interior Gateway Routing Protocol (EIGRP):
A dynamic routing protocol designed by Cisco Systems; it is used for automating routing decisions and configuration on computer networks.
Open Shortest Path First (OSPF):
An interior gateway routing protocol developed for IP networks based on the shortest path first or link-state algorithm.
Administrative distance:
In the event there are multiple routes to a destination with the same prefix length, the route learned by the protocol with the lowest administrative distance is preferred.
Prefix length:
The longest-matching route is preferred first.
Metric:
In the event there are multiple routes learned by the same protocol with same prefix length, the route with the lowest metric is preferred.
Network Address Translation (NAT):
A technique that allows private IP addresses to be used on the public Internet.
Port address translation (PAT):
A port number is tracked with the client computer’s private address when translating to a public address.
First Hop Redundancy Protocol
(FHRP)
A networking protocol designed to protect the default gateway used on a subnetwork by allowing two or more routers to provide backup for that address.
Virtual IP (VIP):
An IP address and a specific port number that can be used to reference different physical servers.
Subinterfaces:
A virtual interface that is created by dividing up one physical interface into multiple logical interfaces.
Virtual Local Area Network
(VLAN):
A logical network that can separate physical devices without regard to the physical location of the device.
VLAN database:
Saved in either Flash or NVRAM, depending on the model of switch.
Switch Virtual Interface (SVI):
A logical interface on a layer 3 switch that provides layer 3 processing for packets from all switch ports associated with a VLAN.
Native VLAN:
Untagged traffic that arrives on an 802.1Q trunk port is placed on a VLAN designated as the native VLAN.
Voice VLAN:
A VLAN defined for use by IP Phones, with the Cisco switch notifying the phone about the voice VLAN ID so that the phone can use 802.1Q frames to support traffic for the phone and the attached PC (which uses a data VLAN).
802.1Q tagging:
A method of adding a 4-byte tag to Ethernet frames to identify the VLAN that they belong to.
Link aggregation:
Allows multiple physical connections to be logically bundled into a single logical connection.
Spanning Tree Protocol (STP):
- A Layer 2 link management protocol that provides path redundancy while preventing loops in the network.
- 5 states (disabled, blocking, listening, learning, forwarding).
Maximum transmission unit (MTU):
The largest packet size supported on an interface.
Jumbo frames:
Usually 9000 bytes long, though technically anything over 1500 bytes qualifies, these frames make large data transfer easier and more efficient than using the standard frame size.
Channel Width:
Refers to the range of frequencies occupied by a WiFi channel.
Non-overlapping channels:
Channels 1, 6, and 11.
802.11h:
It is an extension of 802.11a, allowing for a fourth band frequency (known as UNII-2 Extended).
2.4GHz:
A Wi-Fi frequency range that has 14 channels.
5GHz:
- At this higher frequency, throughput is faster.
- On the negative side, the transmission range is shorter, as the signal gets attenuated by objects such as walls and floors.
6GHz:
A new development in Wi-Fi technology.
Band steering:
A technique used in wireless networks to optimize the distribution of devices between different frequency bands.
Service set identifier (SSID):
A network name that wireless routers use to identify themselves.
Basic service set identifier
(BSSID):
MAC address of an access point supporting a basic service area.
Extended service set identifier
(ESSID):
An SSID applied to an Extended Service Set as a network naming convention.
Mesh networks:
Networks composed of multiple Wi-Fi access points that create a wide area network that can be quite large.
Ad hoc network:
A network created when two wireless devices connect to each other directly.
Point-to-point:
A data transmission that involves one transmitter and one receiver.
Infrastructure network:
Network where devices connect via a central device like a router.
Wi-Fi Protected Access 2
(WPA2):
A network security technology for Wi-Fi wireless networks that provides stronger data protection and network access control.
Wi-Fi Protected Access 3
(WPA3):
The latest Wi-Fi security standard that tackles the shortcomings of WPA2.
Captive portals:
Most public networks, including Wi-Fi hotspots, use a captive portal, which requires users to agree to some condition before they use the network or Internet.
Pre-shared key (PSK) vs.
Enterprise:
- While easy to set up, PSK poses security risks if the key is weak or shared with unauthorized users.
- Enterprise authentication, also known as 802.1X or WPA-Enterprise, is a more secure and scalable method.
Autonomous access point:
A device that is separate from other network devices including other autonomous access points and that contains all the intelligence required for wireless authentication, encryption, and management.
Lightweight Access Point (LAP):
A device that cannot work independently and relies on an external wireless LAN controller (WLC)
Intermediate distribution
frame (IDF):
Contains an edge switch, a patch panel, and other associated equipment to support the floor and offices nearest to it.
Main distribution frame (MDF):
The room in a building that stores the demarc, telephone cross-connects, and LAN cross-connects.
Port-side exhaust/intake:
- Port side intake is suitable for mounting switches on a rack.
- In a rack setup, multiple switches can be installed consecutively, and hot air can be expelled through the rear air vent, maximizing the rack’s cooling capacity.
- Port side exhaust is suitable for mounting switches on a wall.
Patch panel:
A wall-mounted panel of data receptors into which cross-connect patch cables from the punch-down block are inserted.
Fiber distribution panel:
The fiber equivalent of a patch panel; used to terminate horizontal fiber cabling.
Uninterruptible power supply
(UPS):
An alternative power supply device that protects against the loss of power and fluctuations in the power level by using battery power to enable the system to operate long enough to back up critical data and safely shut down
Power distribution unit (PDU):
A device fitted with multiple outputs designed to distribute electric power, especially to racks of computers and networking equipment.
Voltage:
An electromotive force or potential difference expressed in volts.
Environmental factors:
Humidity, fire suppression, and temperature.
Physical Diagram:
A diagram that displays specific connections and explains why a network system functions in a specific manner; used for diagnostics.
Logical diagram:
- Shows network devices like routers, firewalls, voice gateways, subnets, VLAN IDs, subnet masks, and IP addresses.
- It also shows routing protocols, traffic flows, routing domains, and network segments.
Rack diagram:
A drawing that shows the devices stacked in a rack system and is typically drawn to scale.
Cable map:
General network documentation indicating each cable’s source and destination as well as where each network cable runs.
Asset Inventory:
A catalog of assets that need to be protected.
IP address management (IPAM):
- Planning, tracking, and managing the Internet Protocol address space used in a network.
- Integrates DNS and DHCP so that each is aware of changes in the other.
Service-level agreement (SLA):
Part of a service contract where the service expectations are formally defined.
Wireless Survey/Heat map:
A process of planning and designing a wireless network, to provide the required wireless coverage, data rates, network capacity, etc.
End-of-life (EOL):
Product life-cycle phase where mainstream vendor support is no longer available.
End-of-support (EOS):
When a device or application is no longer provided with basic service and security support for patching and customer service.
Firmware:
- Software that is permanently stored in a chip.
- The BIOS on a motherboard is an example of this.
Decommissioning:
Refers to the process of officially stopping the use of something and removing it from service.
Configuration management:
A process to properly track changes to a system’s configuration through its whole lifecycle.
Backup configuration:
The version of the Cisco device configuration stored in the NVRAM of the system.
Baseline/golden configuration:
- The standard, approved configuration of a system.
- It can specify things like the approved operating system, patching levels and installed software.
SNMP (Simple Network Management Protocol):
- An Internet Standard protocol for collecting and organizing information about managed devices on IP networks.
- It is an application layer protocol.
- Ports 161/162.
SNMP Trap:
- A type of SNMP protocol data unit (PDU).
- Unlike other PDU types, with this, an agent can send an unrequested message to the manager to notify about an important event.
Management information base
(MIB):
A virtual database included in an SNMP-compliant device, containing information about configuration and state of the device that can be queried by the SNMP management station.
SNMP v2C, SNMP v3:
SNMP version(s) that use MD5 encryption.
Community strings:
SNMP uses these to establish trust between a network management station and agent on a managed device.
SNMP Authentication:
Amounts to nothing more than a password (community string) sent in clear text between a manager and agent.
Baseline metrics:
Anomaly alerting/notification.
Log aggregation:
The practice of gathering up disparate log files for the purposes of organizing the data in them and making them searchable.
Security information and
event management (SIEM):
An application that collects and analyzes log data to monitor critical activities in an organization.
Syslog collector:
A syslog server integrated to SIEM - can receive messages from different systems/devices:
Application programming
interface (API):
A set of software routines that allows one software system to work with another.
Port mirroring:
The practice of duplicating all traffic on one port in a switch to a second port.
Network discovery:
A setting that when turned on allows a computer to see other computers on a network and to be seen by those other computers.
Availability monitoring:
The process of checking the uptime, functionality, speed, and performance of infrastructure components such as servers and applications.
Configuration monitoring:
A process for assessing or testing the level of compliance with the established baseline configuration of software systems or servers.
DR metrics:
Used to measure your preparedness and manage expectations during recovery.
Recovery point objective (RPO):
- The maximum amount of data that can be lost after a recovery from a disaster before data loss will exceed what is acceptable to an organization.
- “How much data can I afford to lose?”
- Determines the maximum age of the data or files in backup storage needed to be able to meet the objective specified by the RPO, should a network or computer system failure occur.
Recovery time objective (RTO):
The maximum tolerable time to restore an organization’s information system following a disaster, representing the length of time that the organization is willing to attempt to function without its information system.
Mean time to repair (MTTR):
The average amount of time a computer repair technician needs to resolve the cause of a failure through replacement or repair of a faulty unit.
Mean time between failures (MTBF):
The average time until a component fails, cannot be repaired, and must be replaced.
Cold site:
A separate facility that does not have any computer equipment but is a place where employees can move after a disaster.
Warm site:
A separate facility with computer equipment that requires installation and configuration.
Hot site:
A separate and fully equipped facility where the company can move immediately after a disaster and resume business.
Active-active:
A configuration in which all load balancers are always active.
Active-passive:
A configuration in which the primary load balancer distributes the network traffic to the most suitable server while the secondary load balancer operates in a “listening mode.”
Tabletop exercises:
Exercises that simulate an emergency situation but in an informal and stress-free environment.
Validation tests:
The process of ensuring that the tested and developed software satisfies the client/user needs.
DHCP Reservations:
DHCP lease assignments that enable you to configure a permanent IP address for a client.
DHCP Scope:
The predefined range of addresses that can be leased to any network device on a particular segment.
DHCP Lease time:
- The specified amount of time that an IP configuration assigned by DHCP is valid.
- It is specified when a device is assigned an IP configuration.
DHCP Options:
Options that are assigned when the addresses are assigned or renewed, including the default gateway and the primary and secondary DNS servers.
DHCP Relay/IP helper:
Used to forward request and replies between a DHCP server and client when the server is present on the different network.
DHCP Exclusions:
IP addresses residing within the exclusion range are excluded from the pool of available IP addresses.
Stateless address
autoconfiguration (SLAAC):
A feature of IPv6 in which a host or router can be assigned an IPv6 unicast address without the need for a stateful DHCP server.
Domain Name Security
Extensions (DNSSEC):
A suite of extensions to the domain name system used to protect the integrity of DNS records and prevent some DNS attacks.
DNS over HTTPS (DoH):
Domain Name System (DNS) over Hypertext Transfer Protocol using Transport Layer Security (HTTPS).
DNS over TLS (DoT):
The DNS name resolution service that uses TLS to encrypt communications between the client and server to ensure privacy and confidentiality.
Address (A) record:
A type of DNS data record that maps the IPv4 address of an Internet-connected device to its domain name.
AAAA Record:
The DNS record that maps a hostname to a 128-bit IPv6 address.
Canonical name (CNAME) Record:
Sometimes referred to as an Alias, maps an alias DNS domain name to another primary or canonical name.
Mail exchange (MX) Record:
A DNS record type that specifies the DNS hostname of the mail server for a particular domain name.
Text (TXT) Record:
Adds text into the DNS.
Nameserver (NS) Record:
Indicates which DNS nameserver has the authority.
Pointer (PTR) Record:
Maps an IP address to a domain/host name.
Forward Zone:
A DNS lookup file that holds A records.
Reverse Zone:
- A DNS lookup file that holds A records where the IP addresses must be stored in reverse— with the last octet listed first.
- For example, the IP address 1.2.3.4 would be stored in a PTR record as 4.3.2.1.
Authoritative vs.
non-authoritative:
- Primary and secondary zones where the server holds the records are authoritative.
- Forwarded requests are non-authoritative.
Primary vs. secondary name resolution:
- Primary DNS servers contain all relevant resource records and handle DNS queries for a domain.
- By contrast, secondary DNS servers contain zone file copies that are read-only, meaning they cannot be modified.
Recursive Name Resolution:
Process by which a DNS server uses the hierarchy of zones and delegations to respond to queries for which it is not authoritative.
Hosts file:
File used to resolve FQDNs into IP addresses.
Precision Time Protocol (PTP):
A protocol used to synchronize clocks throughout a computer network.
Network Time Security (NTS):
- Provides cryptographic security for the client-server mode of the Network Time Protocol (NTP).
- This allows users to obtain time in an authenticated manner.
Site-to-site VPN:
Interconnects two sites.
Client-to-site VPN:
Clients from the Internet can connect to the server to access the corporate network or Local Area Network (LAN) behind the server but still maintains the security of the network and its resources.
Clientless VPN:
Creates a secure, remote-access VPN tunnel using a web browser without requiring a software or hardware client.
Split tunnel vs. full tunnel:
- Split tunnel - only some traffic over secure VPN while the rest of the traffic directly accesses the Internet.
- Full tunnel - all of the traffic is sent over the secure VPN.
Jump box/host:
A system on a network used to access and manage devices in a separate security zone.
In-band vs. out-of-band
management:
In-band management uses the same network infrastructure for management traffic, while out-of-band management uses a separate dedicated network.
Data in transit:
Any data sent over a network.
Data at rest:
Data stored on a drive, in the cloud, or otherwise not currently utilized by the owner, group, or other network personnel.
Certificates:
Digitally signed electronic documents that bind a public key with a user identity.
Public key infrastructure (PKI):
System for creating public and private keys using a certificate authority (CA) and digital certificates for authentication.
Self-signed:
A signed digital certificate that does not depend upon any higher level authority for authentication.
Identity and access management
(IAM):
The security discipline that enables the right individuals to access the right resources at the right times for the right reasons.
Single sign-on (SSO):
Using one authentication credential to access multiple accounts or applications.
Remote Authentication
Dial-in User Service
(RADIUS):
Protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service.
LDAP (Lightweight Directory Access Protocol):
- Protocol that defines how a client can access information, perform operations, and share directory data on a server.
- Port 389.
Security Assertion Markup
Language (SAML):
An XML-based standard used to exchange authentication and authorization information.
Terminal Access Controller
Access Control System Plus
(TACACS+):
A family of protocols made by Cisco used for authentication and authorization through a centralized server.
Time-based authentication:
A computer algorithm that generates a one-time password (OTP) using the current time as a source of uniqueness.
