Network Security Implemenation Flashcards

Question

What does IEEE 802.1x employ

Answer 1

Employs an authentication service, such as RADIUS, to secure clients, removing the need to implement security features in APs, which typically do not have the memory or processing resources to support complex authentication functions.

Answer 2

The switch or wireless access point puts the client session on hold and does not allow it to enter the network until either the device or user is authenticated and authorized by a RADIUS server. Wireless hotspots that require a user name and password in a browser are using 802.1x. It is an IEEE standard used to provide a Port-based Network Access Control (PNAC), using the 802.11 protocols. 802.1x uses EAP to provide user authentication against a directory service.

Answer 3

An Access Control List is a set of data that is used to control access to a resource.

Answer 4

``` Data includes items such as: User names Passwords Time and date IP addresses MAC addresses ```

Answer 5

Resources include items such as: Devices Files Networks

Answer 6

ACLS can be configured to explicitly allow or deny access to resources. An implicit deny-all clause placed at the end of an ACL will deny permissions to all traffic that is not explicitly permitted in the list.

Answer 7

A software program or a hardware device (or a combination of both) that protects a device or network from unauthorized access by blocking unsolicited traffic.

Answer 8

The simplest firewall implementation. They work at the OSI Network layer (Layer 3). Each network packet is compared either to a set of default criteria or to a set of rules configured by an administrator. Based on the rules, the packet is passed or dropped, or a message is sent back to the originator. Packet filters are usually a part of a router.

Answer 9

Works at the OSI Session layer (Layer 5) by monitoring the condition, or state, of the connection. Monitors the TCP connection establishment to determine if a request is legitimate. Stateful inspection firewalls are also known as circuit-level gateways.

Answer 10

Works at the OSI Application layer (Layer 7) and requires incoming and outgoing packets to have the proxy to access services. This functionality allows proxy firewalls to filter application-specific commands. Can be used to log user activity and logons, which offers administrators a high level of security but significantly affects network performance. Also known as Application-level gateways.

Answer 11

Combines the functionality of all of the above and operates at the OSI Network, Session, and Application layers simultaneously.

Answer 12

Unified Threat Management (UTM) is a network security solution that is used to monitor and manage a wide variety of security-related applications and infrastructure components through a single management console.

Answer 13

``` UTMs provide multiple security functions such as: Network firewalling Network intrusion prevention Anti-malware VPN Spam and content filtering Load balancing Data leak prevention On-appliance reporting ```

Answer 14

IANA: (Internet Assigned Number Authority) An international organization established in 1993 to govern the use of IP addresses. The Internet Corporation for Assigned Names and Numbers (ICANN) is now responsible for leasing IP addresses worldwide.

Answer 15

IANA: (Internet Assigned Number Authority) An international organization established in 1993 to govern the use of IP addresses. The Internet Corporation for Assigned Names and Numbers (ICANN) is now responsible for leasing IP addresses worldwide.

Answer 16

Dynamic ports: assigned by a client operating system as needed when there is a request for service.

Answer 17

Registered ports: available to user processes and listed as a convenience by the IANA.

Answer 18

All ports are assigned a number between 0 and 65,535.

Answer 19

A TCP or UDP port number is configured to accept packets, unlike a closed port (which rejects connections or ignores all packets directed at it).

Answer 20

Every open port is a potential security vulnerability. | When ports are open and not needed, consider disabling them.

Answer 21

Protocol: TCP and Service: FTP

Answer 22

Protocol: TCP and Service: SSH

Answer 23

Protocol: TCP and Service: Telnet

Answer 24

Protocol: TCP and Service: SMTP

Answer 25

Protocol: TCP/UDP and Service: DNS

Answer 26

Protocol: TCP and Service: HTTP

Answer 27

Protocol: TCP and Service: POP3

Answer 28

Protocol: TCP/UDP | and Service: Windows RPC

Answer 29

Protocol: TCP/UDP | and Service: NetBIOS over TCP/IP

Answer 30

Protocol: TCP/UDP | and Service: NetBIOS over TCP/IP

Answer 31

Protocol: TCP/UDP | and Service: NetBIOS over TCP/IP

Answer 32

Protocol: TCP | and Service: HTTPS

Answer 33

Protocol: TCP | and Service: Microsoft SQL Server

Answer 34

Protocol: UDP and Service: Microsoft SQL Server

Answer 35

On a server, if USB ports are enabled, someone could insert a portable USB drive and copy sensitive files directly from the hard drive. On a switch, if unused ports are left enabled, attackers could physically connect to and access the network.

Answer 36

Entering BIOS setup or other management software and disabling a port. Editing the Windows Registry. Physically disconnecting the port from the motherboard. For details, consult the manufacturer documentation for the individual devices you are responsible for hardening.

Answer 37

Disable unnecessary services. Close ports that are by default open or have limited functionality. Disable unnecessary running services. Regularly apply appropriate security patches. Hide responses from ports that indicate their status and allow pre-configured connections only.

Answer 38

Protocols that do not expose data and/or credentials in cleartext.

Answer 39

SSH(Secure Shell) Used for secure data communication, remote command-line login, remote command execution, and other secure network services between two networked computers. It was designed as a replacement for Telnet and other insecure remote shell protocols.

Answer 40

HTTPS (Hypertext Transfer Protocol Secure) Used for secure communication over a computer network, with especially wide deployment on the Internet. The main purpose of HTTPS is to prevent eavesdropping and man-in-the-middle attacks.

Answer 41

TLS/SSLTLS/SSL (Transport Layer Security/Secure Sockets Layer) Used to provide communication security over the Internet. Several versions of the protocols are in widespread use in applications such as web browsing, electronic mail, Internet faxing, instant messaging, and voice-over-IP (VoIP).

Answer 42

SFTP (Secure File Transfer Protocol) Used for secure file access, file transfer, and file management.

Answer 43

SNMPv3 (Simple Network Management Protocol version3) Used for managing devices on IP networks. Version 3 added cryptographic security to secure data and user credentials.

Answer 44

IPSec (IP Security) Used for securing IP communications by authenticating and/or encrypting each IP packet of a communication session.

Answer 45

Windows Firewall and Windows Defender Firewall with Advanced Security are software firewall applications that are included with every version of the Windows operating system, including versions of Windows Server. Some versions of Windows Server also contain Datacenter Firewall. This provides users and administrators with at least a minimal firewall solution to help create a more secure network. For many users and for small organizations, the Windows Firewall will meet their needs without purchasing a more complicated firewall solution. Home users should use the Windows Firewall program in Control Panel. Windows Defender Firewall with Advanced Security is designed for administrators of a managed network to allow, deny, or secure network traffic in an enterprise environment. Datacenter Firewall is a multi-tenant firewall intended to be used in cloud service provider situations. Connection security rules are used to implement IPSec.

Answer 46

Determine which ports are currently open. Determine which of the open ports are required to be open. Close any ports that are not required to be open. Determine which services are currently running. Determine which of the running services are required. Disable any services which are not required.

Answer 47

Wireless security: Any method of securing your WLAN to prevent unauthorized network access and network data theft.

Answer 48

Site survey: An analysis technique that determines the coverage area of a wireless network, identifies any sources of interference and establishes other characteristics of the coverage area.

Answer 49

You need to ensure that authorized users can connect to the network without any hindrances. Wireless networks are more vulnerable to attacks than any other network system. Most wireless devices search and connect automatically to the access point with the best signal, which could be coming from an attacker. Wireless transmissions can also be scanned or sniffed out of the air, with no need to access physical network media. Such attacks can be avoided by using relevant security protocols. You use a site survey to help you install and secure a WLAN. Although an authorized site survey is a standard part of planning or maintaining a wireless network, unauthorized site surveys or compromise of the site survey data can be a security risk. Wireless access points (WAP) and wireless routers come with a default service set identifier (SSID). An administrator can accept a device's default SSID, but this is not recommended. The administrator should specify an SSID manually. Another method of securing a wireless connection is by disabling the broadcast of the SSID of the wireless device. Disabling the broadcast causes the wireless device to not appear on the network. Therefore, when a client device scans the network, it will not be able to locate the disabled SSID. Though disabling the broadcast of SSID is a comparatively easy task, this method is not completely effective because hackers can still access the WLAN by using sniffing software. Do not use WPS (WiFi Protected Setup). If any devices on your network have WPS, disable it. When purchasing devices, try to obtain devices that do not include WPS.

Answer 50

Encrypts wireless communications, making them less vulnerable. Designed to provide the same level of security as wired networks. Has many well-known security flaws.

Answer 51

Both encrypt wireless communications, making them less vulnerable to unauthorized access. Both offer better security than WEP, with WPA2 being more secure. Both protocols have a Personal and Enterprise mode. The personal mode uses a preshared key that all clients use for encryption. Enterprise mode uses 802.1x authentication and a unique encryption key for every client who logs on to the network.

Answer 52

TKIP provides the encryption for WPA. | AES provides the encryption for WPA2.

Answer 53

A security protocol that protects sensitive communication from being eavesdropped on and tampered with. TTLS is an EAP protocol that extends TLS by providing authentication that is as strong as TLS, but it does not require that each user be issued a certificate. Instead, only the authentication servers are issued certificates.

Answer 54

Open system authentication uses null authentication, which means that user names and passwords are not used to authenticate a user. This is the default for many access points (APs) and stations. Open system authentication enables a station to connect to any wireless AP that has open system authentication enabled, even if the service set identifier (SSID) is different from the station. An open system is often used in conjunction with 802.1x. The wireless client is allowed to make an unauthenticated association with the AP, but until the user logs on, the client cannot connect to the network. The shared-key authentication method verifies the identity of a station by using a WEP key. Both the station and the AP must be configured to use data encryption and the same WEP key. The station also needs to be configured to use a shared-key authentication instead of the default open-system authentication. A pre-shared key is used for WPA-Personal and WPA2-Personal. The key needs to be shared by the communicating parties before it can be used. PSKs are more often found in use on home wireless networks. The EAP authentication method authenticates a user and not the station. This is an enterprise implementation that is done with a RADIUS server. An AP forwards the authentication request to the RADIUS server, and the server calls the user credential database (for example, Active Directory in Windows domains) to verify the user. The RADIUS server then passes the identity verification to the AP.

Answer 55

A protocol that enables systems to use hardware-based identifiers, such as fingerprint scanners or smart card readers, for authentication. EAP categorizes the devices into different EAP types depending on each device's authentication scheme. The EAP method associated with each type enables the device to interact with a system's account database.

Answer 56

Designed to replace the Lightweight EAP (LEAP). | It addresses LEAP vulnerabilities through the use of TLS tunneling using a Protected Access Credential (PAC).

Answer 57

Mac OS X 10.3 and above Windows 7 and above Windows Server 2012 and above Windows Mobile 7 and above

Answer 58

Proposed as an open standard by a coalition made up of Cisco Systems®, Microsoft, and RSA Security. PEAPv0/EAP-MSCHAPv2 is a widely supported authentication method in EAP implementations.

Answer 59

A simple method of securing a wireless network is by controlling which MAC addresses are allowed to access the network.

Answer 60

By configuring a wireless access point (WAP) to filter MAC addresses, you can control which wireless clients can access your network. Typically, an administrator configures a list of client MAC addresses that are allowed to join the network. Those pre-approved clients are granted access if the MAC address is “known” by the access point. Although MAC filtering is usually implemented on wireless networks, it can also be used on wired networks to allow and deny access to the network.

Answer 61

A public-access or guest network often presents a web page users must view and acknowledge before they are granted network access. These open networks usually include anti-virus software and a firewall between the open network and the organization's production network. These are often found in places such as restaurants, airports, lobbies, libraries, and other public spaces that provide free WiFi access. The captive portal typically includes: A statement indicating who is providing the network service. This will help users know whether this is a legitimate site or one set up by a hacker. A statement that the information users send over the network is not secure. These open networks are typically do not using authentication or data encryption. Advertisements or social media links. This can help the organization provide access to customize the content based on which advertisements are clicked on and by seeing the users' social media content.

Answer 62

A method of defining virtual geographical boundaries using GPS or RFID.

Answer 63

When a mobile device with GPS or RFID capabilities enabled crosses into or out of the geofenced area, an event can be triggered. Examples of triggered events might include: Changing the temperature in a room or building. Turning the lights on or off when you enter a room or building. Locking your computer when you and your mobile device leave the defined area. Network administrators can also use geofencing to help manage BYODs to automatically change settings on the devices to comply with organization policies. Blocking some apps. Making other apps available only when within the organization's geofenced area. Changing access rights to data based on location. It can also be used to alert administrators if equipment owned by the organization travels outside of the geofenced area.

Answer 64

Unauthorized wireless access point on a corporate or private network. Not detected easily; can allow private network access to many unauthorized users with the proper devices. Can allow man-in-the-middle attacks and access to private information. Organizations should protect themselves from this type of attack by implementing techniques to constantly monitor the system, such as installing an IPS.

Answer 65

Rogue access points on a network that appear to be legitimate. Typically found in public Wi-Fi hotspots where users select available networks from a list. Evil twins can be more dangerous than other rogue access points because the user thinks that the wireless signal is genuine, making it difficult to differentiate from a valid access point with the same name.

Answer 66

Locates wireless access points while traveling, which can be exploited to obtain unauthorized Internet access and potentially steal data. This process can be automated by using a GPS device and wardriving software. Common war driving and war chalking tools include NetStumbler, Kismet, Aircrack, and Airsnort.

Answer 67

The act of using symbols to mark off a sidewalk or wall to indicate that there is an open wireless network that may be offering Internet access.

Answer 68

The method used to crack the encryption keys used in WEP, WPA, and WPS installations to gain access to private wireless networks. Many tools are available that can aid attackers in cracking encryption keys, such as Aircrack.

Answer 69

IV is used in many cryptosystems; its implementation in wireless WEP encryption is weak. It is fairly easy and quick, using automated tools and a replay attack, to extract enough IV data to crack the WEP key. This gives the attacker the ability to connect to a WEP-encrypted wireless network along with all the other clients.

Answer 70

An attack on a network where an attacker captures network traffic, allowing data to be extracted from the packets. On a wireless network, a sniffer can be used not only to monitor transmitted data but also to identify the SSID of a wireless network even if that network's SSID broadcast is disabled.

Answer 71

A method used by attackers to send out unwanted Bluetooth® signals. Because Bluetooth has a 30-foot transmission limit, this is a very close-range attack. Attackers can send out unsolicited messages along with images and videos. These types of signals can lead to many different types of threats. They can lead to devise malfunctions, or even propagate viruses, including Trojan horses. Users should reject anonymous contacts and configure their mobile devices to the non-discoverable mode.

Answer 72

A method in which attackers gain access to unauthorized information on a wireless device by using a Bluetooth connection within the 30-foot Bluetooth transmission limit. Unlike bluejacking, access to wireless devices such as tablets, mobile phones, and laptops by bluesnarfing can lead to the exploitation of private information including email messages, contact information, calendar entries, images, videos, and any data stored on the device.

Answer 73

Makes the attack surface smaller. Hardening is done in multiple ways or layers to protect devices, the network, and data. An important part of hardening is ensuring appropriate patches and updates are installed.

Answer 74

Patch: A small unit of supplemental code meant to address either a security problem or a functionality flaw in a software package or operating system.

Answer 75

Hotfix: A patch that is often issued on an emergency basis to address a specific security flaw.

Answer 76

Rollup: A collection of previously issued patches and hotfixes, usually meant to be applied to one component of a device, such as a web browser or a particular service.

Answer 77

Service pack: A larger compilation of operating system updates that can include functionality enhancements, new features, and typically all patches, updates, and hotfixes issued up to the point of the release of the service pack.

Answer 78

The practice of monitoring for, obtaining, evaluating, testing, and deploying software patches and updates

Answer 79

Test the functionality of the updates before widespread installation of updates. In order for some updates to function properly, you might need to also update system firmware and drivers. Additional features might be available with some updates. If vulnerabilities in the firmware or operating system software on a server, workstation or other network device are detected, and an update is issued, you should immediately begin testing the updates.

Answer 80

As part of the patch management process, you backed up the software before installing the patch or update. If something goes wrong with updates or additional problems are found after deploying the updates, you can downgrade again to the previous version. If you have a configuration backup of all devices stored, and the patch or update is causing problems, the devices can easily be restored to the previous configuration. Many operating systems and applications have options built in that allow you to roll back to the previous version. Sometimes this is accessed through the installation program and other times it is a feature within an application or operating system.

Answer 81

Is called flashing

Answer 82

There are a few reasons why you should consider upgrading the system firmware, including: Provide support for new hardware. Fix bugs that prevent the operating system from installing or running properly. Enable advanced management features. Be eligible for vendor support.

Answer 83

Upgrading firmware can be damaging to devices if it is not done correctly. If you improperly flash the system firmware, it can render the device unusable. Often, your recovery options will be limited, but they should be listed on the manufacturer’s support website.

Answer 84

A category of protective software that scans devices and sometimes networks for known viruses, Trojans, worms, and other malicious programs.

Answer 85

Implement Internet email virus protection by: Screening the Internet gateway devices for viruses Employing reliable desktop antivirus software Scanning incoming emails between the Internet and the email server Scanning email again at the device level Disabling all Internet connections and isolating affected devices if a virus attack is detected

Answer 86

Scans devices or networks for known viruses, Trojans, worms, other malware. Some software can scan for unknown harmful software. Install on all devices and keep it updated. Can be host-based, server-based, or cloud-based.

Answer 87

Shared Key or Symmetric encryption: The same key is used both to encode and decode the message.

Answer 88

Key Pair or Asymmetric encryption: Each party has a public key that anyone can obtain and a private key known only to the individual.

Answer 89

Public key: In key-pair encryption, the key is available to all and is used to encode data.

Answer 90

Private key: In key-pair encryption, the key is known only to an individual and is used to decode data.

Answer 91

Reasons to generate new keys include: If a key is compromised. To replace the special production key shipped with some software images. If required by the organization’s policy to update a key after a period of time. This helps limit exposure if a key compromise was not detected

Answer 92

CA: (Certificate Authority) A server that can issue digital certificates and the associated public/private key pairs.

Answer 93

Encryption key: A specific piece of information that is used with an algorithm to perform encryption and decryption in cryptography.

Answer 94

A root CA is typically the first or only CA installed. A root certificate is an unsigned public key certificate or a self-signed certificate that identifies the root CA. A CA can issue multiple certificates in the form of a tree structure. A root certificate is at the top of the tree and is the private key that is used to sign other certificates. All certificates immediately below the root certificate inherit the trustworthiness of the root certificate. Certificates further down the tree also depend on the trustworthiness of the intermediate CAs.

Answer 95

A different key can be used with the same algorithm to produce different ciphertext. Without the correct key, the receiver cannot decrypt the ciphertext even if the algorithm is known. The longer the key, the stronger the encryption

Answer 96

Permission: A security setting that determines the level of access a user or group account has to a particular resource.

Answer 97

Hashing encryption: One-way encryption that transforms cleartext into a coded form that is never decrypted.

Answer 98

Hash (Hash value, message digest): The value that results from hashing encryption.

Answer 99

EFS: (Encrypting File System) A file encryption tool available on Windows systems that have partitions formatted with NTFS.

Answer 100

FDE: (full disk encryption) A storage technology that encrypts an entire storage drive at the hardware level.

Answer 101

SED: (self-encrypting disk) A storage device that is encrypted at the hardware level in order to avoid relying on software solutions.

Answer 102

A permission is a security setting that determines the level of access a user or group account has to a particular resource. Permissions can be associated with a variety of resources, such as files, printers, shared folders, and network directory databases. Permissions can typically be configured to allow different levels of privileges or to deny privileges to users who should not access a resource. Assign rights and permissions to user groups. As the needs of individual users change, the users can be placed in groups with the appropriate security configuration.

Answer 103

Certificates can be used for data encryption. The certificate encryption process consists of four steps: A security principal obtains a certificate and a public/private key pair from a CA. The party that encrypts data obtains the user's public key from the user or from the CA's certificate repository. The encrypting party then uses the public key to encrypt the data and sends it to the other user. The other user uses the private key to decrypt the data.

Answer 104

Hashing encryption is one-way encryption that transforms cleartext into ciphertext that is not intended to be decrypted. The result of the hashing process is called a hash, hash value, or message digest. The input data can vary in length, whereas the hash length is fixed. Two types of hashes: MD5 (Message Digest version 5) creates a 128-bit message digest from the input data. Secure Hash Algorithm (SHA) is used for US government documents and other documents to create a digital signature. SHA-2 and SHA-3 have four variations: SHA-224, SHA-256, SHA-384, and SHA-512.

Answer 105

A file-encryption tool is available on Windows devices that have NTFS-formatted partitions. EFS encrypts file data by using digital certificates. If a CA is not available to issue a file-encryption certificate, the local device can issue a self-signed encryption certificate to users who want to encrypt files. NTFS permissions control file access, but EFS protects the contents of the file. EFS can keep data secure even if NTFS security is breached—for example, if an attacker moves a physical hard drive to another system to bypass NTFS.

Answer 106

Used on SED devices, it ensures encryption at the hardware level.

Answer 107

A privileged user has full access to all aspects of a network, a device, or a computer. On a Windows system, this is the Administrator user. On a Linux or UNIX system, this is the root user. This account should only be used when absolutely necessary. For day-to-day operations, each user should have a regular user account. With the additional access that the privileged account has, if the account is compromised, the attacker can reach more data and devices. The principle of least privilege dictates that users and software should have only the minimal level of access that is necessary for them to perform their duties. This level of minimal access includes facilities, computing hardware, software, and information. Where a user or system is given access, that access should conform to the least privilege level required to perform the necessary task.

Answer 108

Role separation, also known as separation of duties, is implemented as a policy that states that no one person should have too much power or responsibility. Duties and responsibilities should be divided among individuals to prevent ethical conflicts or abuses of power. Duties such as authorization and approval, and design and development, should not be held by the same individual because it would be far too easy for that individual to defraud or otherwise harm an organization. In many typical IT departments, roles like backup operator, restore operator, and the auditor is assigned to different people.

Answer 109

Turn off trunking on all ports unless trunking is specifically required on a certain port. On a port where trunking is enabled, disable dynamic trunk protocol (DTP), then manually enable trunking.

Answer 110

Used on Cisco switches to prevent protected ports from forwarding traffic to any other protected port on the switch. Traffic is forced to be forwarded through a router or other Layer 3 device. The switch port port-security command enables port security on a port. switch port command options allow you to configure: Spanning tree Flood guard BPDU guard Root guard DHCP snooping MAC address filtering

Answer 111

Make sure that user ports and native VLAN trunk ports are different. Consider using a fixed VLAN that is completely separate from all user VLANs on the switched network.

Answer 112

Increases system security by reducing the attack surface. Compliance requirements might require segmentation. DMZ helps protect networks from unauthorized access. VLANs can be used to create smaller segmented networks. If an attacker gets through the DMZ, they must breach another firewall to get into a network segment. Each subsystem is placed in its own area or zone. Zones are defined by a logical or physical boundary. Each zone has a security zone that contains a group of logical or physical assets that require similar security measures. A physical or logical border separates zones from other resources. A conduit is established that connects defined zones with other network resources. The conduit enables safe and secure communications between the defined zone and other network zones. Conduits can include network security features such as firewalls and VPNs. All communication between any zones must take place through one of the implemented conduits to protect the data and systems.

Answer 113

NAT conceals internal private IP addresses from external networks. The private address is a virtual IP address, not assigned to an actual device. The router is configured with a single public IP address on its external interface and a private address on its internal interface. NAT service translates between the two addressing schemes. Packets sent to the Internet from internal hosts appear as if they came from a single IP address. In static NAT, an unregistered address is mapped to a single specific registered address. In dynamic NAT, a single unregistered address is mapped to the first registered address in an address pool. PAT is a subset of dynamic NAT functionality that maps either one or more unregistered addresses to a single registered address using multiple ports. PAT is also known as overloading

Answer 114

Port forwarding, also called port mapping, enables a permanent translation entry that maps a protocol port on a gateway to an IP address and protocol port on a private LAN. Network clients cannot see port forwarding. This allows communications from an external source to a destination within a private LAN. For example, a remote device could use port forwarding to connect to a specific device or service within a private LAN.

Answer 115

Penetration testing: An attack authorized by the owner of a computer network with the purpose of finding security weaknesses.

Answer 116

IDS: (intrusion detection system) Software, hardware, or both, that scans, audits, and monitors for signs of attacks in progress.

Answer 117

IPS: (intrusion protection system) Inline security device that monitors suspicious network traffic and reacts in real-time to block it.

Answer 118

Can discover which defenses were effective and which were vulnerable. Penetration test results should be reported to the owners so that they are aware of any issues they need to address. Uses intrusion detection (IDS) and intrusion prevention systems (IPS).

Answer 119

Honeypot: A security tool used to lure attackers away from the actual network components. Also called a decoy.

Answer 120

Honeynet: An entire dummy network used to lure attackers away from actual network components.

Answer 121

Proxy server: A system that isolates internal clients from the servers by downloading and storing files on behalf of clients.

Answer 122

Reverse proxy server: A type of proxy server that retrieves resources on behalf of a client from one or more servers.