Networking Concepts (Chapter 1) Flashcards
What is a network
A connection between 2 or more nodes that can communicate to eachother
IP address
- A unique number that identify a node on a network.
- Can change by node changing network or by DHCP
- a node can have multiple IP addresses
- IPv4/IPv6
MAC Address
Media Access Control
A unique physical address that identifies the node on the network, issued by NIC
Source/Destination
Is the sender and recipient of data transmission, both nodes form a connection where they both switch back and forth from being source and destination
Protocol
Set or rules or language used for communication
Port
A logical source/destination for a network service
0 - 1023 used by common services
1024 - 49151 used by services processes
49152 - 65535 used by client processes
Socket
A identification number that signifies a port that is in use which is made up of protocol, IP address and port that uniquely identifies a connection on a network
OSI Model
7 layers
Application
Presentation
Session
Transport
Network
Data Link
Physical
Application Layer (OSI)
Responsible for requesting network services for a specific apps via a specific protocol (Mail = SNMP/POP3, web browser = HTTP/HTTPS)
Data
Presentation Layer (OSI)
Layer responsibility for communicating the correct data format (MP3, JPG)that will be transmitted
Data
Session Layer (OSI)
Responsible for managing and separating different network “conversations” by assigning ports for each process
Data
Transport Layer (OSI)
Layer responsible for establishing, managing and tearing down a session as well as encapsulating data into either segments (TCP) or datagram (UDP) with a header that has embedded information
Network Layer (OSI)
Layer responsibility for adding the logical address to the header and encapsulating the TCP or UDP into an IP packet
Data Link Layer (OSI)
Responsible adding the physical address of the source and destination to the header and encapsulating the packets into frames.
Adds a trailer with CRC to check that data hasn’t been corrupted
Data Link Layer Sub layers
Logical Link Control
- describes the network payload
Media Access Control
- adds physical address
Physical Layer (OSI)
Responsible for transmitting the frames in terms of bits over a network medium
DoD Model
Aka TCP/IP Model
4 Layers that map to OSI model
Application Layer (DoD)
Incorporates OSI Application Layer, Presentation Layer and Session Layer
Host-to-Host Layer (DoD)
Incorporates OSI Transport layer
Internet Layer (DoD)
Incorporates OSI Network layer
Network Access Layer (DoD)
Incorporates OSI Data Link Layer and Physical Layer
TCP/IP Protocols
Host-to-Host Layer
- TCP, UDP
Internet Layer
- IP, ICMP, IGMP
Network Layer
- ARP
Connection-Orientated
Attempts to ensure reliability and completeness of transmission via the uses of acknowledgement flags during data transmission, resends data dependent on recipient sequence acknowledgement in its segment header.
- sequence used to reconstruct data
- TCP protocol
- session is established via a 3way handshake (SYN - SYN/ACK - ACK)
- Session is broken down via 4way handshake (FIN - ACK - FIN - ACK)
Connectionless Orientated
No attempts to ensure completeness of data transmission, uses application or higher level protocols to request data lost in transmission.
- Used for performance
Router
Responsible for making forwarding decisions between routers based on Layer 3 (Network layer) IP addresses.
- can learn routes location and store them in routing table
- can use rewrite layer 2 (Data Link Layer) depending on the network medium type ( WiFi, ethernet, ect)
- built in Wireless Access Points
Switch
Makes forwarding decisions based on Layer 2 MAC address, builds MAC address tables based on frames coming into its ports
Layer 3 switch allows for routing capabilities.
Firewall
Software or hardware appliance that separate the untrust network (internet) from your trusted network by enforcing rules to filter out unwanted traffic.
- Usually provides Network Address Translation (NAT)
- can work from layer 2-7
IDS
Intrusion Detection System (IDS) Is a software or hardware appliance that is responsible for analyzes network traffic for malicious signatures which is log to a dashboard
- software (Hosts IDS/ HIDS)
- network appliance ( Network IDS/ NIDS)
IPS
Intrusion Prevention System (IPS) Is a software or hardware appliance that is responsible for analyzing packets and reports findings to a dashboard, placed at strategic location on the network to act as a choke point to cut off malicious traffic from the network.
- Uses signatures database
- can detect zero base attacks
- can be software (Host IPS/ HIPS) or network appliance (Network/ NIPs)
Load balancer
A device that distributes incoming traffic among multiple servers based on quantity of traffic, which is used to improve the over all performance of the service and provides redundancy.
Proxy Server
Service that fetched content on behalf of the client, prevents the client from accessing the internet.
Works at layer 7
NAS
Network Attached Storage (NAS) a set of storage devices that are set up in a Raid that act as a file storage system on a network
Storage Area Network
An array of disks that are connected to network servers, that acts as the dedicated storage for all devices on the network. The storage can be divided into smaller Logical Unit Numbers that act as a partitions which the servers use as their dedicated storage
iSCSI
iSCSI is a common interface type that is used to connect to Storage Array by send sending SCSI commands as IP payloads
WAP
Wireless Access Point
- acts as bridge between wireless and wired networks
Access Point Modes
Standalone
- independent, acts as a single AP with one SSID
** Controller-Based**
- Lightweight, centrally managed via a controller, with multiple SSIDs
Cloud-Managed
- multi-site, remote management
Mesh AP
- Multiple APs that uses the same SSID on different channels, large coverage area
Wireless LAN Controller
Used to manage multiple wireless access points (WAP), by centrally controlled configuration and allows for load balancing of client load or radio interference.
Wireless Range Extender
A WiFi repeater that connects to a WAP and repeats the signal and extends it’s coverage
Content Delivery Network
Is a distributed network of servers that are strategically placed around the globe that cache web content and services to be accessed quickly from nearby users.
CDN key features
Caching & Distribution
- caches static content
- reduces latency
Availability & Reliability
- provides redundancy and load balancing
Security features
- protection against malicious attacks
Traffic Offloading
- handles request for static content this reducing load for original server
Virtual Private Network (VPN)
A stream of network packets that are hidden inside of other encrypted packets
Quality of Service (QoS)
A set of networking techniques that prioritizing network traffic of a certain type (voice, video, data)
Time To Live (TTL)
A limited amount of hops that a packet can take via routers to reach it’s destination before that packet is destroyed
Network Function Virtualization (NFV)
The act of taking functionality of network components (routing, switching, load balancing, firewalls, ect) and implementing each part as a software rather than hardware.
- defacto approach of cloud based networking services
Virtual Private Cloud
Is a secure, isolated environment within a public cloud that allows users to perform tasks that would normally require a data centre
VPC key features
Isolated Network Environment
Customizable Network Configuration
Enhanced Security
Scalable & flexible
** Direct Connectivity Options**
Cost Effective
Network Security List
A type of Access Control List for cloud networking that is used to allow or deny traffic to and from a specific resource on the virtual network.
Cloud Gateways
Are network contents that provides connectivity between cloud resources and external network (internet) by enabling secure and efficient data transfer.
Cloud Connectivity Methods
Public Internet
VPN
Direct Connect
- dedicated link to a cloud environment
Cloud Model Types
Public
- shared environment managed by a cloud provider
Private
- dedicated, single-tenant environment
Hybrid
- combines public and private clouds, often with data and applications moving between them based on workload and needs
Community
- a provider-based cloud designed for a group or organisation with shared concerns, requirements or compliance needs
Cloud Service Models
Defines the level of control, management and responsibilities shared between the cloud provider and customer
IaaS, PaaS, SaaS
Iaas
Infrastructure as a Service,
Is a could model that provides a client with the hardware required
PaaS
Platform as as Service is a cloud Model that provides development tool to build an application
SaaS
Software as a Service is a cloud model that allows a end user to access a application
Vertical Scaling
Increasing or decreasing the capacity of an existing instance, suitable for a server that needs more processing power to handle increased loads
Horizontal Scaling
Adding or removing instances of virtual machines, suitable for load balancing
Elasticity
Ability for a cloud environment to expand or contract resources in real time based on demand
Multitenancy
A key architectural feature of cloud computing that allows multiple users (VM) to share the same computing resources
Transmission Control Protocol (TCP)
A layer 4 protocol (transport layer) that is connection Orientated that provides reliable communication over IP network. By breaking the data down into segments with identified sequence IDs.
Protocol ID 6
Sliding window
Embedded data on a TCP header that communicated to the sender how big the data segment can be
Handshake
Is a protocol used in TCP headers to start and end a session between two endpoints with the use of flags
Start
Three way handshake
SYN -> SYN/ACK -> ACK
END
Four-way handshake
FIN-> ACK -> FIN -> ACK
Acknowledge Number
Is a number embedded into a TCP header that the destination uses to tells the source what the next segment sequence should be.
TCP header
In the transport layer (Host-to-Host) the data is encapsulated in to segments and a 20-byte header is attached to each that contain:
- Source port
- Destination port
- Sequence Number
- Acknowledging Number
- Windows Size
- Flags
- checksum
TCP Flags
URG
- urgent
- tells destination to prioritize data
ACK
- Acknowledge
- All TCP segments will have ACK apart from the first and the last
PSH
- push
- tells destination to directly send this data to the application
RST
- rest
- tells destination that source had abruptly lost connection
SYN
- synchronise
- used in three way handshake to start connection
FIN
- finish
- used in four way handshake to end connection
User Datagram Protocol (UDP)
A Layer 4 protocol (transport layer) that is connectionless orientated that attempts to send datagrams as fast as possible to the destination, relies on source applications to break down data and destination application to request any missing data
Embeds destination and source into the header
Protocol ID 17
UDP header
Contains 32-bytes of information that consists of; Source, Destination, checksum and length
Internet IP
A layer 3 protocol (network layer) that is connectionless orientated.
Protocol ID 4
IPv4
- uses 32-bit logical addressing to identify source and destination
IPv6
- uses 128-bit hexadecimal to encode source and destination
Internet Control Message Protocol (ICMP)
A layer 3 error reporting protocol of IPv4 and IPv6 used by network devices to generate error messages and manage traffic flow
Protocol ID 1
ICMP Types & Codes
Types
- defines the general purpose or category of the message
Code
- provides specific detail of the context of the message
Internet Group Management Protocol (IGMP)
Used by hosts to notify routers that they are still interested in receiving multicast from upstream server
Protocol ID 2
Address Resolution Protocol (ARP)
Layer 2 connectionless protocol used to map MAC address to IP address to allows network traffic to be sent. Network traffic needs source and destination MAC addresses, IP address and port number inorder to be able to send and receive data.
- ARP sends out a broadcast message asking who has a given IP address and for them to send back their MAC address.
Protocol ID N/A
Tunneling
Is the act of hiding a packet inside of another packet, the original packet becomes the payload of the outside packet
Generic Routing Encapsulation (GRE)
A tunnelling protocol created by Cisco that encapsulates a wide variety of network layer protocol inside point-to-point connections of an IPv4 or IPv6 packet
IP security (IPSEC)
Most common type of VPN tunneling using ISAKMP and IKE to create a secure tunnel.
- IPSEC consists of a Authentication header protocol (AH) and/or Encapsulating Security Payload protocol (ESP)
Authentication Header (AH)
Digital signs IP packet by calculating a hash (HMAC) to ensure that the payload isn’t modified
Payload is not encrypted
protocol ID 51
Encapsulating Security Payload (ESP)
Encrypts the payload and digital signs TCP or UDP header by calculating a Hash (HMAC)
Doesn’t change IP header
Protocol ID 50
ISAKMP
Internet Security Association and Key Management Protocol (ISAKMP) is a frame work used by ISEC to form a VPN between to peer devices
IKE
Is a protocol used by ISAKMP to negotiate and establish secure communication, by using a Diffie-Hellman handshake to exchange keys and negotiate cryptography parameters
IPSEC Transport mode
Host-to-Host VPN
Packets are not encapsulated inside another
IPSEC Tunneling Mode
Used for site-to-site VPNs
Packets are encapsulated inside another IP packets
Anycast
A special type of unicast used by IPv6 that sends a packets to the a geographic closest server
Unicast
One source to one destination
Multicast
One destination to multiple destinations
Broadcast
One source to all destination on a network
Wifi Channels
WiFi uses radio channels with a range of frequency to connect to wireless devices
**2.5 GHz band **
- channels overlap apart from: 1,6,11
5 GHz & 6 GHz band
- no overlapping channels
Channel Bonding
Is a technique by which adjacent WiFi radio channels of 5 GHz or 6 GHz bands are combined to create a “wider” channel, thus increasing availability bandwidth.
A single radio band cannot support multiple channel width at the same time, so all SSIDs connected on the radio band will use the same channel width
5 GHz band = 40 MHz or 80 MHz
6 GHz band = 80 MHz or 160 MHz
Maximum speed
Is the theoretically maximumdata rate support by a WiFi standard
Bandwidth
Is the capacity of the channel, defined by it’s channel width (20 MHz, 40 MHz, 80 MH, 160 MHz), enable a higher data rate
Throughput
The amount of data transmitted over the network per second, which is influenced by channel width, MIMO configuration and modulation efficiency
802.11n
WiFi 4
- 2.5/5 GHz bands
- upto 600 mb/s
- 20, 40 MHz channel width
- 14 overlapping channels
- 8x8 MIMO (4x4 most common)
802.11ac
WiFi 5
- 2.4/5 GHz bands
- upto 3.5Gbps
- 20, 40, 80, 160Mhz channel width
- upto 25 channels (depending on channel width)
- 8x8 MIMO (4x4 most common)
802.11ax
WiFi 6
- 2.4/5/6 GHz bands
- upto 9.6 Gbps
- 20,40,80,169 MHz channel width
- upto 86 channels (depending on channel width)
- 16x16 (8x8 most common)
802.11be
WiFi 7
- 2.4/5/6 GHz bands
- upto 46 Gbps
- 20, 40, 80, 160, 320 MHz channel width
- upto 116 non-overlapping channels
Unidirectional Antenna
An antenna that has a narrow field of focus (45-90°) for the signal, which allows the signal to travel farther
Omnidirectional Antenna
Has a field of focus of 360°
MIMO
Multiple In Multiple Out
An Access Point that has the ability to use more than one antenna simultaneously to transmit and receive which will increase throughput and improve signal reliability by allowing multiple streams of signals.
- If an access point can support 4 antenna then MIMO will use 2 to transmit and 2 to receive
Spatial stream
Independent data stream using the same frequency using separate antennas, number of spatial streams depends on antenna configuration (2x2, 3x3, 4x4)
WiFi authentication
Personal
- the WAP is configured with a pre-shared key that the user must enter to connect to the access point
Enterprise
- WAP acts as a client for end devices (supplicant) to connect to but doesn’t allow them to access the network until the user enters their credentials in a captive portal that will be used to authentic the user with a RADIUS server. Once the user is authorised then the device (supplicant) will have access to the network
Basic Services Set (BSS)
A simple WLAN (wireless local area network) that consists of one WAP, SSID, Channel
- BSSID is the MAC address of the WAP
- usually accommodates upto 10 clients
Extended Service Set (ESS)
A mesh of BSSs that act as a single WAP with the same SSID
- each BSS has a separate BSSID
-typically managed by a WLAN controller that sends configuration information, including load balancing user to the AP
4G LTE
Speed: upto 1 Gbps
Latency: 30-50 ms
Frequency bands:
- Voice: low-band 600 MHz - 1 GHz
- Data: Mid-band 1 GHz - 3.5 GHz
Key Technology:
Carrier Aggregation, MIMO
5G
Speed: upto 10 Gbps
Latency: 1 - 10 ms
Frequency bands:
- Voice: low-band
- Data: Mid-band (6 GHz), mmWave (upto 39 GHz)
Key Technology:
Massive MIMO, Beamforming, network slicing
Massive-MIMO
Is a large antenna array that can service multiple client devices
64-1024 antenna per array
Beamforming
Is a technology used by Massive MIMO that is the heart of 5G which focus radio signals towards a single receiver, multiple smaller streams combined (created by combining antenna from an array) to form a stronger stream
Cellular Network Architecture
Mobile devices are wirelessly connected to cell towers which are connected to each other and to the core of the network via high speed fiber.
The network is divided into land areas called cells that are covered by cell towers
Cells have different areas cover depending on their types Macro, Micro, Pico, Femto
Macro Cells (cellular Network Architecture)
- large are coverage
Power output: 10 - 100w
Urban coverage: 5-10 km
Rural coverage: 30 Km
Micro cell (Cellular Network Architecture)
- indoor or dense urban area
Power output: 1 - 10w
coverage: 200m - 2km
Pico cell (cellular Network Architecture)
- indoor or dense urban area
Power output: 100mw - 1w
coverage: 100 - 200m
Femto cell (cellular Network Architecture)
- indoor or dense urban area
Power output: 10 - 100mw
Coverage:: 30 - 50m
Unshielded Twisted Pairs (UTP)
Inexpensive and easy to install
- max 100m
- protected against EMI
- should have a repeater every 85m
Shielded Twisted Pairs (STP)
Wraps the wire pairs in a conducting metal shield to help prevent against EMI and RFI
- Thicker and more expensive than UTP
Twisted Pairs Cable Standards
Cat 5 - 100Mbps @ 100m 1000BASE-XT
Cat 5e - 1Gbps @ 100m 1000BASE-T
Cat 6 - 1Gbps @ 100m 1000BASE-T
Cat 6 - 10Gbps @ 50m 10GBASE-T
Cat 6A - 10Gbps @ 100m 10GBASE-T
CAT 8 - 40Gbps @ 5 - 30m
Plenum
Is a cable material standard that ensures that the material used doesn’t give off any toxic smoke during a fire
Coaxial Cable
Original standard for ethernet which consists of an inner copper wire covered by and insulation and braided shield which helps to protect against EMI
Twinaxial Cable
Similarly to coaxial Cable but has 2 inner copper cores which are twisted together for differential signals
- 10-400Gbps
Direct Attached Copper (DAC)
Twinaxial Cable that are have transceiver modules attached (SFP+, QSFP+, QSFP28) attached at both ends to allow for upto 400 Gbps
RJ11
Is a connector with 4 pins (Red, Green, Black & Yellow) that is used for landlines
RJ45
A connector that has 8 pins that is used to terminate all unshielded twisted pair and shielded twisted pair cables
Wiring Standards (TIA/EIA 568A)
-White + Green
-Green
-White + Orange
-Blue
-White + Blue
-Orange
-White + Brown
-Brown
Wiring Standards (TIA/EIA 568B)
-White & Orange
-Orange
-White & Green
-Blue
-White & Blue
-Green
-White & Brown
-Brown
Optical Fiber
A cable that consists of long thin strands of glass that is surrounded by cladding that has a different reflection index. Light is shot through the glass that is used to transmit data
Multimode Fiber
A fiber optics cable that has a large core that transmits light generator by VSCEL array that creates multiple beam of lights. The light gets reflected off the cladding which results is signal degradation over time
- used for short distance
- cables come in OM1,2,3,4,5
Single Mode Fiber
A fiber optic cable that consists of a small core that transmits light created by a laser which makes a single beam of light that gets reflected very few times.
- used for long distances
- cable types: OS1,2
Fiber optic connectors
- subscriber cable
- Local Connector
- Ferrule Connector
- Stick and Twist
- Multi-fiber push on
Fiber optic pigtails
Used to terminate the many strands of a backbone cable to a fiber optic patch panel by separating each fiber optic core of the backbone cable into smaller optic cables
How to choose the correct Transcriver
- Do all components support the same ethernet standard (switch port, transceiver, cable)
- Verify that the transceiver is supported by the switch manufacturer
- Transceiver is compatible with the type of fiber cable ( multimode, single mode)
- Ensure receiver can handle the required distance
- might need backwards compatibility
- switch port can support the transceiver power requirement
- ensure cable and transceiver is suitable for the correctenvironment
- Latency
- signal integrity
Media converter
Converts one cable type into another
Small Form-Factor Pluggable (SFP)
A compact, hot-swappable fiber optic transceiver that can support speeds of upto 4.25 Gbps and a max distance of 150km.
Enhanced Form-Factor Pluggable (SFP+)
A compact, hot-swappable fiber optic transceiver that can support speeds up to 10 Gbps and a max distance of 80Km
Quad Small Form-Factor Pluggable (QSFP)
A compact, hot-swappable fiber optical transceiver that consist of a break out cable that transitions a single cable into four 1 Gbps lanes
Enchanted Quad Small Form-Factor Pluggable (QSFP+)
A compact, hot-swappable fiber optic transceiver that splits can split a cable into different lanes with different speeds
- 1 x 40 Gbps
- 4 x 10 Gbps
Quad Small Form-Factor Pluggable 28 (QSFP28)
A hot-swappable fiber optic transceiver that can split a cable into multiple speeds
- 4 x 25 Gbps
- 2 x 50 Gbps
- 1 X 100 Gbps
BX SFP Transceiver
Is a fiber optic transceiver that supports full duplex by sending 2 different light frequency through the cable
SAN Portocol
Storage area Network can be connected using, Ethernet, Fiber Channel or iSCSI by using the same cabling, connector and transceiver that the protocol uses
Network Topology
Is the layout of a network that described how devices connect and communicate.
Physical Topology:
- layout of physical connection between devices on a network
Logical Topology
- layout of how data moves between devices of a network
Topology types
Point-to-point
- a topology in which devices are connected directly to each other
Star
- a topology where devices on a network are connected to a central node that (switch) that directs the traffic over the network
Mesh
- a type of topology that used multiple nodes to direct traffic over the network (aka star topology with redundancy)
Three-Tier hierarchy model
A network design framework that organises a network into 3 logical layers
Core
- backbone of the network
Distribution
- Routing between VLAN
Access
- connectivity of end devices
Collapsed Core Model
A network framework designed for smaller networks where the distribution and core layers are combined into a collapsed core
Collapsed Core layer
Access Layer
Spine & Leaf Topology
A network frame work that consist of only 2 layers
Spin
- interconnects all leaf switches
- full mesh
Leaf
- aggregate traffic from servers
- connects directly to spine
Traffic Flow
Describe the direction and type of data movement within a network. Data flows from north-south or eat-west
North-south traffic
Is the data flow between clients and servers which is managed by firewalls and load balancer that has a focus on security and scalability
Eg:
- data flowing from client to distribution switch to network server
- data flowing from client to distribution switch to access point to internet
East-west Traffic
Is the flow of traffic between servers, services or application from within the network which is often managed by high speed switches to accommodate for large volume of internal communication.
Software Defined Networking
Aka controller based networking.
Is a software based approach to network manager that centralizes control, by separating the control plane (routing logic) from the data plane (traffic forwarding) allowing configuration to be dynamically and automatically applied across all devices.
Software Defined WAN (SD-WAN)
A software designed approach to managing multi site WAN that dynamically creates VPNs that are the best routes for the user to access thier end destination. - All connectivity is monitored by a software controller
SD-WAN Underlay
Is a connection of public networks that is used to move traffic for business operations.
Edge device
A type of router that are able to take SD-WAN commands in real time. They are connected to the underlay and create VPNs to other edge devices
SD-WAN Overlay
Is dynamically changing logical Topology of VPNs created by edge devices on top of a public network, that allows secure access to destinations. -The VPNs are created based on demands and ends destination needs and are torn down went no longer needed
SD-WAN Architecture
Orchestrator
- consists of a master controller that can control multiple controllers for multiple SD-WAN
Control plane (overlay)
- the system of VPNs that are dynamically created between edge devices
Forwarding plane (underlay)
- the physical network the overlay runs on
Edge
- point where local networks connect to the overlay
Edge-Controller Communication
Is a stream of messages between the controller and edge devices sent on the underlay as part of internet traffic, Sent as a UPD package (port 443) with DTLS encryption.
The controller stream messages to edge devices:
- control plane messages
- management planes messages
- data plane messages
- Security Messages
- Diagnostic and Troubleshooting messages
Virtual Extensible Local Area Network (VXLAN)
Is a type of Virtual LAN that is spread across multiple locations, that has a tunneling mechanism (VPN) that enabled seamless connectivity between all locations
How VXLAN works
VXLAN create a virtual overlay network (VPN) to an an existing IP network (underlay) by encapsulating the frames into a UPD packet with a VXLAN header. The packets are routed over the IP providers backbone network
VXLAN Network Identifier (VNI)
Is a 24-bit number that is used to uniquely identify every isolated virtual network in a VXLAN environment. It is encoded in the VXLAN header
VXLAN Tunnel Endpoint (VTEP)
Is the devices or software component that is responsible for the encapsulating and decapitating for VXLAN
VTEP process:
1) a VM on host-A sends a packets to a VM on host-B within the same VXLAN segment (VNI 5000)
2) Host-A VTEP encapsulates the frame adding a VXLAN header with VNI 5000 and the IP address for host-B’s VTEP
3) The encapsulated packet is routed over the layer 3 network
4) host-B’s VTEP decapitates the packet and forwards it to target VM
Data Centre Interconnect (DCI)
An extension of VXLAN technology that connects multiple data centres
Zero Trust Architecture (ZTA)
Is an approach to security that assumes that all network traffic may be compromised so that verification is required for every occasion it tries to access data,services or application on the network.
Identify-based security
- Access is based in verifying the identity of a user and device through strong authentication methods and continuous monitoring.
Least Privilege access
- users and devices have the minimum access required to perform their tasks
Micro-Segmentation
- network is divided into multiple smaller segments to isolated resources and minimize the impact of potential breaches
Secure Access Secure Edge (SASE)
Is a cloud based framework that integrates VPN-TO-LAN capabilities with built in security, to allow a user from an unsecured network to connect to a corporate network securely.
** SASE Consists of:**
- SD-WAN
- Secure Service Edge (SSE)
Secure Server Edge (SSE)
Is a centralised security policy enforcement used on SASE
**Consists of **
- zero Trust network access (ZTNA)
- Secure web Gateway (SWG)
- Cloud Access Security Broker (CASB)
- Firewall as a service (FWaaS)
Infrastructure as Code (IaC)
A practice that automates the management of software based networking by using code which allows infrastructure (IaaS/PaaS) to be treated the same way as so software code.
It separates configurations, policies, profiles, scripts and templates from the hardware which allows them to be accessed via code