Section 2 - Secure Network Architecture Flashcards
What are common edge services
Firewalls
Routers
Load Balancers
NAT Gateway for Cloud VPC
useful for cloud computing and uses Elastic IP’s that can be remapped to another instance
Internet Gateway - is a VPC component allowing traffic between VPC and Internet
Mail Security - DCOM/SPF
DDoS Protection
Rate Limiting
WAF
Blackhole Routing - drops all traffic -
not ideal
CSP provide DDoS protection
DDoS Mitigation Software/Appliance
What is the difference between edge services vs application layer protection
Edge takes a broad approach to protecting network traffic by limiting protocols and traffic flows based on source and destination whereas application layer looks within the protocols to more fully interpret them.
They both can be combined or separate solutions
What type of firewall allow for inspection of the content of the protocol traffic
Next-Generation Firewall (NGFW)
What is the type of device/firewall that provides multiple security services in a single solution?
Unified Threat Management (UTM)
Content Filtering
DLP
SPAM
Anti-Virus
Geo-IP Filtering
What device provides for protocol-specific outbound traffic and which type of proxy requires client configuration
Forward/Transparent Proxy
Non-Transparent proxy - typically 8080
Transparent Proxy must be implemented on a switch or router to operate
What type of script allows a client to configure proxy settings and what protocol will allow for this
Proxy Autoconfiguration Script (PAC)
Web Proxy Autodiscovery (WPAD)
What type of proxy is in the line of traffic from the “outside-in”
Reverse Proxy
Used for performance improvement by caching web content similar to a load balancer
What are the deployment ways for a WAF
Network-Based - separate host configured for WAF
Host Based - runs on the same host as Web application server - ModSecurity is a popular which is Apache Based. for Application layer attacks
Cloud Based - provided by a service provider and delivered via a cloud platform . Less expensive than Network based on leverages expertly configured WAF Protection
What is the special-cloud based service that is used to centralize the functions provided by API’s
API Gateway - can be detached from main application
XML Gateway - better suited for API only with similar protection
What is the type of attack where a threat actor injects false resource records into a client or server cache to redirect a domain name to an IP Address of the attackers choosing and what can help mitigate against these types of attacks
DNS Spoofing or Poisoning
Domain Name Security Extensions (DNSSEC) - set of specifications designed to provide an added level of security to traditional DNS
To extend traditional DNS with DNSSEC functionality what type of resource record must be setup
Resource Record Set (RRset) - all resource records for a domain that have the same type and use the Zone Signing Key in order for it to be verified as trustworthy. The Zone Signing Key is also signed using a Key Signing Key
What two major tasks do VPN Performs
Creation of tunnel and protection of the data within it.
for example LT2P creates the tunnel and IPSec secures it
What is the general term for the collected protocols, policies and hardware that authenticate and authorize access to the network at a device level
Network Access Control (NAC)
understand the use of a quarantine network - VLAN Jail
What are the 3 analysis types of a NIDS
Signature Based
Anomaly Based - based on protocol
Behavior Based - learns traffic patterns
High volume of traffic and uses sensors and used Switched Port Analyzer (SPAN) port or port mirroring.
What is a method of sniffing where a hardware device into a cable to copy frames for analsys
Test Access Port (TAP)
What is the type of software that reviews system files to ensure that they have not been tampered with
File Integrity Monitoring (FIM)
is SNMP a secure protocol
Not really - community names are sent in plain text avoid v1 or v2
What is the Cisco developed means of reporting network flow information to a structured database. What is the equivalent of web standard
NetFlow -
sFlow - technically not a true flow protocol as it does not aggregate packets
What are some common methods for Segmentation of Networks
Subnetting
VLANs
What is the subnetting design that used two firewalls on either side of the DMZ
Screened Subnet
What is the broad term for how objects can interact with each other in layer 3 switches and routers
Access Control Lists
What is the difference between an Air Gapped Host and a Jump Box
Air Gapped is not physically connected to any network and is physically protected
Jump Box are specially configured, highly hardened and closely monitored used to perform administrative tasks or to access with servers
What describes the capability of isolating workload from one another and protecting them individually
Microsegmentation
Cloud Centric and designed for more East-West traffic flows
What is the general term and also within Azure for the creation of cloud resources within a private network that parallels the functionality of the same resources
Virtual Private Cloud (VPC) or Virtual Network (VNet) in Azure
In a cloud environment, what is used to control inbound/outbound traffic
NAC List or nackles - stateless so both inbound and outbound traffic flows must be explicitly defined
What works with NAC lists and are associated with individual instances and act as virtual firewalls
Policies/Security Groups
What describes the state and location of data to help isolate and protect it.
Data Zones
Raw Zone - data from multiple sources
Structure/Curated Zone - quality checked
Analytical Zone - used for practical purposes
What is the term for the defined perimeter of inside and outside called being deconstructed
Deperimeterization - well established barrier are breaking down to many initiatives such as cloud, wfh, etc.
What are the key tenants of Zero Trust Architecture
Everything is considered external and designs adopt the adage:
“never trust, always verify” and “assume breach”
Which NIST Publication defines ZTA
NIST 800-207
ZTA does not define security via network boundaries but instead via resources. this is where microsegmentation plays a key role
T or F in order to setup a VPC Peering between Cloud and on-premise you need to establish a VPN
True
What operates as guardians between two connected sites and are typically associated with military establishments
Cross Domain Solutions (CDS)
What is the principal means of providing privilege management and authorization on an enterprise network and some protocols
Directory Services
LDAP protocol and widely used to to query and update X.500
Uses Distinguished Names (DN) as unique identifier.
What is the difference in scaling servers horizontally and vertically
Horizontal is adding more servers to farm while vertically is adding more resources to existing servers
List some examples of scalable designs
Content Delivery Network (CDN) - distributing and replicating components of a service to key service areas needing content delivery
Caching - used for maintaining consistent performance during file access and data processing. for Cloud can use API Gateways
T or F using a single vendor product ideal for interoperability but not for providing a security layer
T - diversity adds complexity that can slow an adversary down.
What is the term for the capability to spread workloads among multiple cooperating units.
Distributed Allocation - associated with cloud platforms to locate services across multiple region or Availability Zones
During a failure of a single node of a 2 server cluster which type would potentially be impactful to users from a performance standpoint?
Active/Active - since they are tehncially load balanced then capacity would be cut in half
What is the difference between a Type 1 and Type 2 Hypervisor
Type 1 - installed diretly onto the computer and manages access without going through a Host OS which would be a Type 2.
Type 1 - VMware ESXI, Hyper-V, Xen
Type 2 - VMware workstation, Parallels
What is the method of virtualization called that does not use a Hypervisor but leverages the capabilities of the full OS and has a widely adopted platform called what?
Containerization and Docker
What are the 3 models of VDI
Hosted - 3rd Party
Centralized - hosted within enterprise
Synchronized - remote VD and work in disconnected state
In a cloud setting what describes the set of automated tasks to be part of the deployment of an instance
Bootstrapping
In a cloud setting what is the ability to expand and contract the performance of workloads is limitless
Autoscaling
What does SOAR follow from a task standpoint and what does that task automate
Playbook - checklist of actions
Runbook - automate as many stages of playbook as possible
What are some of the common VM Exploits
VM Escape -
PrivEsc
Live VM Migration
Data Remnants - VM’s are abstract they can leave behind remnants of data
List Common Coding Web Technologies
Web Servers - IIS, Apache
WebDev Frameworks - Angular, Ruby on Rails, Express.js, Django
Mark-up Language - HTML, XML, CSS, JSON
Programming Language - - Perl, C#,, JavaScript, Java, VB, .net, Python, Ruby
Databases - Postgres, SQL, MariaDB
What parallels best practices in that they provide guidance on the secure implementation of various critical areas within an organization
Secure Design Patterns
Open Security Architecture
Carnegie Mellon Software Engineering Institute
Microsoft Azure
What it is the difference between API and Middleware
API’s provide core mechanisms that enable integration and orchestration of the entire information systems while middleware describes more comprehensive software designed to integrate two systems together.
What is the Development to Production Environments and how has access to them
Development - early stage and development has full access
Test/Integration - code from multiple developers merged into a single master
Staging/QA - mirrors production and focuses on regression testing
Production
Sandboxing - describes how the each of the development environments are segmented
What is a software architecture where components of the solution are conceived as loosely coupled services not dependent on a single platform type or technology
Service-Orientated Architecture (SOA)
Open additional possibilities for information exchange and connectivity
What are two elements of SecDevOps
Security as a Code (SaC) - automated methods of SAST and DAST
Infrastructure as a Code (IaC) leveraging configuration management tools to control change to infrastructure
What is the principle that developers should commit and test updates often
Continuous Integration
What is the principle of testing all of the infrastructure that supports the application
Continuous Delivery
What is the principle of making changes to the production environment and name some popular configuration management tools
Continuous Deployment
Puppet
Ansible
Octopus Deploy
What principle of delivery would utilize a SOAR System
Continuous Monitoring
What is the delivery model that describes the requirements governing a software development project
Continuous Validation
Compliance testing process
fit-for-purpose
What can be used to protect against issues relating to credential theft and misuse
Privileged Access Management (PAM)
Policies, procedures, and support software for managing accounts and credentials with administrative permissions
What language can be used to assist with federated networks and what protocol supports the communications
Security Assertion Markup Language (SAML)
Simple Object Access Protocol (SOAP)
What is an identity federation method that provides SSO and enables websites to make informed authorization decisions to protect online resources
Shibboleth
Used in Universities
Name and explain the access control methods
Discretionary (DAC) -owner controlled and most flexible
Mandatory (MAC) -based on security clearance
Role-Based (RBAC) - centralized control over DAC - implicit rights given
Attribute (ABAC) - most fine grained
Rule Based - based on any sort of access controls are determined by a rule than users or objects - Firewalls are best example
What is a AAA protocol used to manage remote and wireless authentication infrastructure and has stood the test of time
Remote Authentication Dial-In User Service (RADIUS) - the client is the access device - switch, AP, or VPN Gateway
Which Protocol improved upon RADIUS and why
Diameter and it uses TCP vs UDP and has a failover mechanism. Not very widespread.
What is the Cisco developed authentication control system specifically designed for managing network devices
Terminal Access Controller Access-Control System Plus (TACACS+)
Uses TCP Port 49
Name some common Access Control and Authorization Systems
LDAP - extensitvle directory service protocol
LDAPS - method of implementing LDAP over SSL/TLS
Kerberos - SSO system based on time sensitive ticket granting system
Open Authorization (OAuth) - for restful API
Extensible Authentication Protocol (EAP) - framework for negotiating authentication methods that enable system to use hardware based systems such as fingerprint scanners.
802.1X - Standard for encapsulating EAP over a LAN
What is the concept related to authentication where user is verified using various characteristics and credentials
Identity Proofing
What is the difference in 2-Step verification of in vs out of band
Out of Band - using a mechanism or channel different that one being used - SMS, App, push, call ,etc
In-Band - same system such as credentials
What is the algorithm that is used for token-based authentication such as FOB’s or Smartphones
HMAC-Based One-Time Password (HOTP)
The server is configured with a counter window to cope with the circumstances of the device and server move out of sync
Time-Based One-Time Password (TOTP) - refines the issue above by expiring tokens
What is a cryptographic module embedded within a computer system that can endorse or trust execution
Hardware Root of Trust (RoT)
RoT is usually established by a type of crypto processor called a Trusted Platform Module (TPM) - can be managed via windows via TPM.msc
What is the subset of JavaScript that is used in the representation state transfer (REST)
JavaScript Object Notation (JSON) Web Token (JWT)
this is protected with Message Authentication Code (MAC) - combining its hash with a shared secret
What products/tools automate the discover and classification of data types and enforce rules so that data is not viewed or transferred without proper authorization.
Data Loss Prevention (DLP)
Policy Server
Endpoint Agent
Network Agents
What is the protection to control how digital content is used after publication
Digital Rights Management (DRM)
What describes the mechanism to hide data and what encoding is poplular
Obfuscation and Masking
Base64
What is a common technique in the credit card industry to represent sensitive data
Tokenization
What is a software architecture where components of the solution are conceived as highly decoupled services not dependent on a single platform type or technology
Microservices
What is the term describing the use of virtualization to manage all traditional hardware elements of an infrastructure through a single software-based solutions
Hyperconverged Infrastructure (HCI)
What is the main difference between Emulation and Virtualization?
emulation unlike virtualization does not have to use the same hardware architecture such as x86. It is more resource intensive then virtualization and therefore slower. Better for older OS and gaming systems
QEMU, Wine, Android Studio
What is the top cause of data breaches in the cloud.
Misconfiguration
The use of middleware (the plumbing) using frameworks such as SOAP, JSON and REST.
What type of attack uses overly permissible access by querying metadata is typically
Server-Side Request Forgery (SSRF)
What are some limitations of CSP’s associated with VPC’s
Overlapping CIDR Blocks
Transitive Peering
What are the Cloud Storage Types
Object - application access needing access to docs, video, and images
File-Based
Block - high performance transactional such as databases
Blob - Unstructured and common for archive and backup sets
What is the refinement of machine learning that enables machines to develop strategies for solving a task given a labeled dataset and without further explicit instructions
Deep Learning
a subset of creating virtualized images of real persons is called Deep Fakes