Section 3.3 Implementing secure network designs Flashcards
What provide a first line of defense for detection and prevention attacks at your network border?
Network security devices and secure network design
What is a network device that helps evenly distribute the flow of network traffic to other network devices, either in an active/active mode or an active/passive mode?
Load balancer
If one router receives too many requests what could happen?
A bottleneck or network delays
What are required to analyze incoming requests and route them evenly between servers?
Load balancer
What can schedule their functions through different techniques or can use intelligent methods to detect which servers are overloaded and which are free?
Load balancers
What prevent DoS network attacks by detecting floods of network packets and prevents them from overloading a device?
Load Balancer
What enhances load balancing by making routing the resources of all servers so they can be used to perform the same task as one server?
Clustering
In what mode of load balancing do the load balancers act like an array, dealing with traffic together as both are active?
Active/Active mode
What eliminates a host’s dependency upon individual network interfaces?
a Virtual IP address
Web traffic comes into the network load balancer from the?
Virtual IP Address
What NLB setting knows the status of all servers in the server farms and which web servers are the least utilized by using a scheduling algorithm?
Least Utilized Host
What NLB setting takes the incoming request then contacts the DNS server and rotates the request based on the lowest IP address first?
DNS round Robin
What NLB setting sends the request to the same web server based on the requester’s IP address, IP + port, and/or session ID?
Affinity
What do you call a private network that is designed to host the information internal to the organization?
Intranet
What do you call a section of an organization’s network that has been sectioned off to act as an intranet for the private network but also serves information to external business partners or the public internet?
Extranet
What do you call an extranet for public consumption that is typically labeled a DMZ or perimeter network?
Screened Subnet
What is used to control traffic and isolate static/sensitive environments?
Network segmentation
What do you call a collection of devices that communicate with one another as if they made up a single physical LAN?
VLAN
What do you call a subnet that is placed between two routers or firewalls?
Screened subnet
Bastion hosts are located within which subnet?
Screened subnet
What extends a private network across a public network, enabling users and devices to send and receive data across shared or public networks as if their computing devices were directly connected to the private network?
VPN
What is the most secure VPN tunneling protocol that can use certificates, Kerberos authentication, or a pre-shared key?
L2TP/IPSec
What VPN works with legacy systems and uses SSL certificates for authentication?
Secure Socket Layer VPN
What VPN uses certificates for authentication and just needs and HTML-5 compatible browser such as Opera, Edge, Firefox, or Safari?
HTML 5 VPN
What mode of VPN means all traffic both the internet and the corporate network run through the VPN?
Full Tunnel
What mode of VPN is used for traffic destined for the corporate network only and internet traffic is sent through its normal route?
Split Tunnel
In what kind of scenario is a connection initiated from a users PC or laptop for a connection of shorter duration?
Remote Access Scenario
What do you call a hierarchical naming system that resolves a hostname to an IP address?
DNS
What type of record is a text record used by DNS to prevent spam and confirm the email has come from the domain it appears to come from?
Sender Policy Framework
What type of record is used for mail servers?
MX
What type of record is a DNS text that is used by ISPs to prevent malicious email, such as phishing or spear phishing attacks?
Domain-based Message Authentication, Reporting and Conformance (DMARC)
What stores recently resolved DNS requests for later reuse, reducing calls to the DNS server?
DNS Cache
What is a flat-file where name and IP pairs are stored on a client? Often checked before request is sent to DNS server.
Hosts File
What normally maintains only the hostnames for domains it is configured to serve? It is said to be ‘authoritative’ for those domains.
DNS server
What do you call DNS nameservers that operate in the root zone? They can also refer to requests to the appropriate Top-Level Domain (TLD) server.
Root Server
What prevents unauthorized access to DNS records on the server? Each DNS record is digitally signed, creating an RRSIG (digitally signed record) record to protect against attacks.
DNSSEC
What is it called when an attacker alters the domain-name-to-IP-address mappings in a DNS system to redirect traffic to a rogue system or perform DoS against a system?
DNS poisoning
What is it called when an attacker sends false replies to a requesting system, beating the real reply from the valid DNS server?
DNS Spoofing
What is it called when an attacked uses a captive portal such as a pay-for-use Wi-Fi hotspot?
DNS hijacking
What kind of attack leverages similarities in character sets to register phony international domain names (IDNs) that appear legitimate to the naked eye?
Homograph attack
After a remote client has authenticated, __________ checks that the device being used is patched and compliant with corporate security policies.
Network Access Control (NAC)
What is it called when the operating system includes NAC as part of the operating system itself and no additional agent is required?
Agent-based/Agentless NAC
What kind of management enables IT to work around problems that my be occurring on the network?
Out-of-band Management
What kind of security turns off the port but limits the functionality of the switch?
Port security
What kind of security authenticates users or devices by a certificate before the connection is made? Prevents an unauthorized device from connecting and allows an authorized device to connect.
802.1x
What kind of protection prevents two or more connected switches from creating loops that create broadcast storms?
Loop protection
What protocol prevents broadcast storms from happening by forwarding, listening, or blocking on some ports?
Spanning Tree Protocol (STP)
What are the frames that contain information about the STP?
Bridge Protocol Data Units (BPDU)
What kind of attack will try and spoof the root bridge so that the STP is recalculated?
BPDU attack
What do you call a layer 2 security that prevents a rogue DHCP server from allocating IP addresses to a host on your network?
DHCP snooping
What is used by a wireless access point to block access to all non-authorized devices?
MAC filtering
What is a way some attackers get around MAC filtering?
MAC spoofing
What network appliance is typically placed on a screened subnet and allows admins to connect remotely to the network?
Jump Server
What network appliance is a server that controls requests from clients seeking resources on the internet or an external network?
Forward proxy
What network appliance is placed on a screened subnet and performs the authentication and decryption of a secure session to enable it to filter the incoming traffic?
Reverse Proxy
What kind of IDS can monitor activity on a single system only? A drawback is that attackers can discover and disable them.
Host based IDS
What kind of IDS can monitor activity on a network, and isn’t as visible to attackers?
Network based IDS
What type of IDS creates a baseline of activity to identify normal behavior and then measures system performance against the baseline to detect abnormal behavior? It can detect previously unknown attack methods.
Behavior-based
What type of IDS system uses signatures similar to the signature definitions used by anti-malware software? Only effective against known attacks
Signature based
What mode of operation has the NIDS/NIPS placed on or near the firewall as an additional layer of security?
Inline/In-band
What mode of operation has the traffic not going through the NIDS/NIPs? Instead sensors and collectors forward alerts to the NIDS
Passive/Out of band
What can be placed on a network to alert NIDS of any changes in traffic patterns on the network?
Sensors and collectors
What do you call a physical computing device that safeguards and manages digital keys, performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions? Like a TPM, but are often removable or external devices.
Hardware Security Module (HSM)
What do you call a multifunction device (MFD) composed of several security features in addition to a firewall? More common in small and medium businesses.
Unified Threat Management (UTM)
What do you call packet inspection that inspects and filters both the header and payload of a packed that is transmitted through an inspection point? Can detect protocol non-compliance, spam, viruses, and intrusions
Deep packet inspection
What firewall state watches network traffic and restricts or blocks packets based on source and destination addresses or other static values? Typically faster and performs better under heavier traffic loads.
Stateless
What firewall state can watch traffic streams from end to end? Better at identifying unauthorized and forged communications?
Stateful
What firewall state is not aware of traffic patterns or data flows?
Stateless
What firewall state is aware of communication paths and can implement various IP security functions such as tunnels and encryption?
Stateful
What allows private subnets to communicate with other cloud services and the internet but hides the internal network from Internet users? Contains the Network Access Control List (NACL) for the private subnets.
Network Address Translation Gateway
What looks at the content on the requested web page and blocks requests depending on filters? Used to block inappropriate content in the context of the situation.
Content/URL filter
What type of firewall is one in which the vendor makes the license freely available and allows access to the source code, though it might ask for an optional donation?
Open source firewall
What type of firewall offers no vendor support?
Open source firewall
What type of firewalls are more expensive but tend to provide more/better protection and more functionality and support (at a cost)?
Proprietary
What type of firewall is a piece of purpose-built network hardware?
Hardware firewall
What type of firewall may offer more configurable support for LAN and WAN connections?
Hardware firewalls
What type of firewall often has superior throughput vs software firewalls because it is designed for the speeds and connections common to an enterprise network?
Hardware firewalls
What type of firewalls might you install on your own hardware?
Software firewalls