Tech Fundamentals Flashcards
What are the layers in OSI model?
MEDIA: how data is moved from A to B
Physical - network cards etc - it is dum. retransmits regardless of collisions. Standards to transmit/receive data. No addresses and no access control. Broadcast.
Data link - Switch is a device example. Mac address table connects a mac address to a port (first frame sent). Collisions avoided through media control and collisions are isolated. Runs on top of functional physical layer and is smart. Frames - format container for sending info. Introduces mac address that belong to a device. MAC addresses are globally unique. frames are converted to signals in order to travel over the physical layer. Looks for carrier signal before sending to avoid collisions. Removes the encapsulation (frame) before sending the payload to the application. If collision, jam, random backoff, then retry again and again and again with longer backoff times.
Network - Router is an example of a device. Needs one or more layer 2 (data link) in order to work. Layer 3 moves data between data links. In order for layer 2 to talk to another layer 2, they must use the same protocol. Layer 3 can span between these different layer 2s. It adds IP (IP addresses), ARP (address resolution protocol,route tables, routers, and routing. Encapsulation is an IP Packet. Frame is removed from packet and repacketed with each hop on intermediate networks. Frame is wrapped around the packet for each hop to designate the new sender. Trace! Internet protocol uses packets with source and destination IP addresses along with the frame for payload. Protocol field contains data for layer 4. TCP, UDP, ICMP (pings). Denotes which protocol to pass the packet into. TTL (v 4)/ Hop Limit (v 6) defines how many hops a packet can do before being discarded.
HOST: How data is chopped up and translated
Transport
Session
Presentation
Application - browser
WHat does each layer in the OSI know and depend on?
They know only about themselves and the layers below. EX 3 knows about 3, 2, 1
What is a frame made up of?
Preamble signals start of frame
MAC HEADER:
Destination MAC address
Source MAC address - allows replies
Ether type - which protocol on layer three is sending the frame in (IP is an ether type)
PAYLOAD - data being sent
Frame check sequence - destination can check if corruption has occurred.
What is an IP address structure IPv4?
Packets travel to the IP address. Dotted decimal notation. Uses 4 decimal numbers from 0 - 255.
IP addresses have two parts. Network and Host.
Binary is underlying the IP address represented with a dotted decimal. If the network component between two IP addresses matches, then the addresses are on the same network.
Like a house number being on the same street as another house number. The network portion of the IP address is the street. The host ID’s a specific house on that street.
IP addresses need to be unique, especially on local networks.
Subnet masks are on layer 3. They allow an IP address to determine whether another IP address is on the same network.
Route tables & routes
Every router has at least 1 route table. destination + next hop or target. Every packet the router checks the destination.
What is the Default route?
The least specific route is in a route table. Usually, the router is for home networks.
Broad Gateway Protocol
A set of connected routers that communicate the networks they know about.
What does ARP do?
Address resolution protocol. Gives you the MAC address for a given IP address. within a local network data is moved via frames. Does a roll call to find the matching IP address. Get’s the MAC address from that ARP on the destination. Strips the frame and de-encapsulates the data. Layer 2 is used for local communications.
What can layer 3 NOT do?
Channels of communication src ip are used to dest IP only.
It does not care about the ordering of packets that it sends between the source and destination.
Layer 4 & 5 Transport & Session
TCP and UDP are two protocols that run on top of IP. TCP for ordering and accuracy. Creates bi-directional comms. UDP is single direction (great for twitch…right…RIGHT?!)
TCP segments - talk about it
Segments are unique to TCP. Segments are placed inside packets. Segments don’t care about the IP for dest or src.
Segments - have src and dest PORTS instead. TCP IP combo has an IP address and a PORT. Single channel, single conversation, is identified by the combo of IP & Port.
Also, having sequence NUMBER puts a segment in its place. 1/23, 4/23, 2/23 Acknowledge field. receiver denotes the speed of packet uptake with acknowledgment.
CheckSUM will ensure that every packet makes its way there.
TCP header is short for all these fields in the TCP segment
What is a Network ACL in AWS?
Network ACL (access control list) is a stateless firewall that uses initiating traffic and subsequent traffic to set rules to allow traffic in OR out. That means TWO RULES per connection (in and out)
What will a security group firewall setup rules look like?
If inbound or outbound is allowed then the opposite is true as well. This is known as a stateful firewall.
What is the difference between stateless and stateful firewalls?
Stateful firewalls require only one rule to allow traffic. if inbound or outbound traffic are allowed then the inverese is also allowed. Network access control list (ACL)
Stateless firewalls require two rules per comms channel. One which will allow inbound and one which will allow outbound. Security groups.
NAT Network Address Translation
Allow multiple devices to share a single public IP address. Process to help with the shortage of IPv4 addresses. Translates to single then translates back.
What are types of NATs?
Static. 1:1 both directions - Needs to be consistent (Gateway)
Dynamic - pool of public to use for private. Efficient with many private to few public.
Port address Translation (PAT) - many private to a single IP address. NAT Gateway.
None for IPv6 (SO MANY ADDRESSES!)
Describe Static NAT
Private IPS can’t comm over internet. Need to translate private IP to public IP address and translate it back. The NAT device (or router) has a NAT table that stores the translations.
Router sees the packet being sent public IP so it changes the private IP into a public IP and puts that in the source IP.
Internet gateway AWS does this.
Describe Dynamic NAT
I{P addresses are assigned from a pool to devices sending packets to the public internet. These assignments are temporary. Multiple private devices can use the same IP so long as they do not use the IP at the same time.
IF no IP available, access to public internet will fail.
Describe Port address translation (PAT)
How the AWS NAT gateway works.
n:1 many private IPs
Uses ports to allow multiple private IPS to run on a single public IP address. Information to connect the private and public IP/Port combination so that translation can be done in both directions. Source port is randomly assigned.
IPv4 Info how many addresses?
How do you get one?
start and end?
classes?
over 4.3 billion addresses
it is allocated - it cannot be random
part is private
0.0.0.0
255.255.255.255
Class A: 0 - 127.255.255.255 HUGE networks (businesses)
Class B: 128.0.0.0
Used for larger business but didn’t need class A
first 2 octet for network last two is for subnets etc
Class C: over 2 million networks
first 3 network rest is for host or subnet
Class D: controlled by regional authorities
Describe IPv6
How many?
340 Trillion, Trillion, Trillion addresses.
HUGE!
Subnetting IPv4
/16 network is prefix - 1st two are the network
/8 is a class A network
Dividing a network into parts to allow more networks
/16 divided into two /17’s
/17’s are both divided into 2 more /18’s
At the end you would get 4 /18’s
Breaking down a larger network into many smaller networks. (each have a higher prefix.
Halfing the ranges progressively.
DDOS attacks Explain them
There are a few ways to overload websites or internet-based services.
Application layer - HTTP floods (inbalnace in processes delivery vs requests). Making a request is easy. Responding is hard.
Protocol - SYN Flood Spoof a source attempts to contact and hangs connection waiting to get an acknowledgment from the fake requestor.
Volumetric - DNS amplification large amt of data.
Often orchestrated via compromised machines (botnets) less size of botnet. Protocol imbalance. LARGE responses with small requests needed to initiate. Legitimate requests will be laggy. Impacts the data connection. Takes down larger websites.
Cannot be combated with normal network protections while still keeping the service available.
VLAN is…
A virtual local area network. Segmenting a network for different purposes. Security, telephony, support, floors, finance, etc. VLAN implemented with layer 2. Frames with dest and src MAC addresses.
.1Q changes frames by adding a field - enables VLAN ID or VID.
separates frames into logical networks.
QnQ - provider bridging - another VLAN field on a frame. Keep same field from before then add an S TAG or service tag.
If two VLANS want to communicate they must use a router.
Isolated traffic!
Separate network. Won’t see each other’s traffic.
.1Q VLAN Describe it…
truck port has all VLANIDs associated to it. ACCESS has one. Trunk is a connection between two .1Q devices.
Access ports comm with stations using ethernet.
VLAN switch forwards to other access ports.
AWS Direct connect vifs
IP conversion - what does the table look like?
What would 133.55.55.8 be in binary?
128 | 64 | 32 | 16 | 8 | 4 | 2 | 1
SSL & TSS
High level same thing.
Secure socket layer. Old
Transport Layer Security. New
Privacy and data integrity between client and server.
TLS -
Encryption privacy: (asyemetric encryption) use symmetric encryption long term. TLS moves from asym to symm. Asym is expensive.
ID verification: majority client verifies that server is the target.
Ensures reliability
Cipher suites
A set of protocols used by TLS. Key exchange, bulk encrypt, message auth code.
Groups of these known as cipher suite.
Happens right after TCP connection.
Client hello, server hello included is the cipher being used and server certificate, client validates ID.
Authentication
Server is valid, key is valid, and
Uses a certificate authority to validate the cert from the server.
Key exchange phase
move from asym to symm encryption. Cheaper encrypt and decrypt. Client gens pre-master key - encrypted with the server’s cipher. Server must decrypt to get the key. Used over the lifetime of the connection.
Border Gateway Protocol
Routing on layer 3. How data moves through points.
Lot of Autonomous Systems. The internals of a network is a black box to BGP.
Each system is assigned a number ASN by IANA. BGP uses this number to tell one network from another.
Operates over TCP on port 179. Error correction and flow control.
It is not automatic. Must create a relationship between two ASNs.
Those networks get to learn about each other and they communicate this out to any other network. Each system exchanges network topology information.
Path vector protocol - what is the best path between a peer? ONLY that path. AS path. Does not take into account speeds, quality etc. It only cares about the most direct and shortest path.
IBGP or EBGP
I is internal E is external.
When might you want to use Jumbo Frames?
Whenever you can! Big but at the end tho…
Standard has a max transmission unit of 1500 bytes. Anything bigger is a jumbo frame.
Max size of 9000 bytes.
They can help improve performance.
Always overhead on a frame regardless of type.
High ratio of overhead to payload in standard.
More payload data per frame and less overhead in total. More efficient however, you need to make sure both sides support jumbo. Not all AWS services allow jumbo frames.
Only same region peering, direct connect and TGW up to 8500 support jumbo frames.
Application Firewalls (Layer 7).
3&4 ports, IP, packets
Layer 5 sessions - request and response paired into a session
Layer 7 sees all. Understands many protocols including HTTP. Headers, hosts, data, etc. All the way down to layer 1.
Between two HTTPS connection the Layer 7 firewall can see all content as HTTP or plain text.
React to data, flows, and content.
IPSEC VPN
Group of protocols to setup secure tunnels between networks over the public internet.
Authentication allows connection. Encrypted always.
Uses a phase 1 tunnel to setup a route tunnel in phase 2 that travels inside of the phase 1 tunnel. For route based VPN all traffic is treated the same. For policy based you can differentiate how different types of traffic is handled. More setup more control.
Fiber optic cables
Transfers light over glass or plastic. They have much higher speeds. Resistant to Electromagnetic and water ingress. More consistent and reliable than copper.
Made up of core, cladding, and buffer.
Core is 9 microns across. TINY about the size of a human hair.
Cladding - has lower refractive rating. Keeps light bouncing down the core.
Buffer - physical safety for the cladding and core. j
Jacket - outer jacket usually colored with varied meanings for the cable’s function.
single mode - small core yellow jacket sometimes. Tiny core means straight path down the cable. lasers used. Long distance with excellent speed. 10G and up.
Multi mode - bigger core and usually orange or aqua. different colors of light travelling down the same cable and don’t interfere. Tends to be faster. More distortion over longer distances though. LED based optics. Cheaper. OM2, 3, 4
Transceivers allows network equipment connection. SFP generates or receives light. Translates light to data and data to light.
Assym vs Symm encryption
Plus signing
Steganography
Envelope encryption / Amazon KMS
ASYM is harder but more secure for initial. The public key can only encrypt. The private key can only decrypt.
Signing - private key used to sign the message. Use public key to prove signing was done with private key.
Steganography - not tied to a key. Invisible ink style. Hiding data inside other data. Key number or pattern is used to reveal the
KMS key management service, Key encryption key (KEK), Can’t access KMS keys directly through KMS.
DEK data encryption key generated by KMS. KMS keys are SYMM. DEK must be decrypted by the KMS’s KEK.
KMS does not store the DEK.
HSM Hardware Security Modules
Manages and stores your keys. Accessible only through a very rigorous process. Keys never leave the device. Authentication takes place inside the HSM.
Digital signatures
Verifies data integrity and authenticity.
Hash is taken of the data, but the original data remains unaltered.
Can use private key to validate data using a chain of trust.
Hashing
Turns ANY data into a fixed length string. BitCoin uses hashing.
Hadh function is a piece of code, and a few are used repetitively.
Any change no matter how minor will give a different hash value.
Cannot get the original data back from the hash. Given the same data you will always get the same hash value.
One way only.
User name and password.
instead of sending password, we send hash of password. All server needs to do is verify that the hash matches the one on record.
MD5 is poop.
Collision is a risk. Getting the same hash values for two different pieces of data. (MD5 does this)
DNS Domain Name System - what does it do?
COnnects a name to an IP address. Big contact database.
www.netflix.com -> DNS Server -> IP Address -> Computer connects to IP address
DNS - why do we need lots of DNS servers?
Traffic volume.
Single point of failure.
DNS is a HUGE database - around 341 million domains. Each has many records.
Data will need updating.
We need to delegate control to a region or entity.
DNS ZONE - each zone has records - stored on a disk called a ZONE FILE.
DNS Name Server - serves one or more zones
Authoritative - real records
Non-authoritative - Cached copies of records or zones
Hierarchical structure.
Splits up the data and load.
ROOT - hosted on DNS name server. Runs on root servers 13 of them. This is the point that all queries start. Many entities manage these roots. NASA, govt,
Stores info on top level domains of DNS. Generic (.com) and country (.eu etc.)
TLDs (.com, .edu, .io) -> Top Level Domain servers -> Name servers -> Domain server (zone and zone files)
AWS Route53 is a domain registrar
AWS Hosted Zones is a Hosting Provider
DNSSEC
Secure addon for DNS.
Provides data origin authentication and data integrity protection.
Establishes a chain of trust with cryptography using public keys.
Additive - does not replace DNS.
Does not show what the data should have been - only tells you that it cannot be validated from the source.
Gives an RRSIG on return. RR is resource record. Uses private and public keys to encrypt.
RRSET is signed. Signed RRSET is stored along with RRSIG. If anything changes, the RRSIG must be updated with the private key. If they are different, then the RRSIG is invalid.
DNSKEY is the public piece of the keys used to encrypt. 256 key is a zone key, 257 is a key signing key.
DNSKEY is signed by the KSK.
What is an A record?
A DNS record containing an IPv4 address.
RRSET what are they? What uses them?
Resource Record Set - a set of records that are the sasnme name and same type. mail exchange with same name. They make it easier to deal with records in sets. Used within DNSSEC. RRSETs are what are validated by DNSSEC
What is a ZSK Zone signing key used for?
Used to sign a RRSET to validate that the DNS record set is still valid. The private part does the signing. The public part does the validating.
What three things does a DNSSEC Resolver need to verify a DNS record?
The record set, the DNSKEY (Zone signing key), and the record set signature.
How can you verify that a Zone Signing Key is valid in DNSSEC?
Key Signing Key is used to sign a Zone Signing Key. It lives outside the zone.
What steps happen in a record query in DNSSEC?
Resolver queries for a record.
Resolver gets record along with RRSIG created by ZSK.
Resolver gets the ZSK’s public key and checks the publics key’s signature against the Key Signing Key.
The resolver trusts the ZSK and uses it to verify the DNS RRSET.
what is a DS record?
A hash of the child’s key signing key that is stored with the parent in the DNS tree.
What are the levels of parent/child in the DNS tree?
ROOT
TLD ZONE
DOMAIN ZONE - Second level & Sub domains
HOSTNAMES
DNS RECORDS
Why do we trust the root key signing key?
It is explicit. It is an anchor. No parent zone to root zone. It just is.
Root Signing Ceremony
Two locations, CA and VA. Private DNS root key signing key. They are stored. Trust in them is hardcoded.
The keys are locked away and stored in very secured ways. Access is controlled via HSM (hardware security module). Must have the needed group of people in order to access them.
This is a physical meeting. Pool of individuals. This is all very procedural. the output is a new RRSIG on the public root DNSKEY.
What is the chain of trust created from in DNSSEC?
Root has trust implicitly. Below are hashes that can be validated via public keys.
What is Kubernetes?
A container orchestration system. Automate deployment, scaling, and mgmt of containerized applications. Like Docker, except smart and automated.
What is a cluster in kubernetes?
A highly available cluster of compute resources organized to work as a single unit is managed by the control plane, which schedules, scales, and deploys.
It contains nodes, which are virtual or physical servers. Each node is required to have software that enables the cluster control plane to manage it, such as docker and kubelet.
Talk about the control plane in kubernetes.
cloud-controller-manager - enables connection to cloud platforms - optional
kube-controller-manager - collection of processes
kube-scheduler - ensures that the pods are used efficiently.
kube-apiserver is the interface
Nodes contrain. Pods are the smallest unit of compute in kubernetes and are non-permanent. They are temporarily created then disposed of after their job is done.
What is an ingress?
allows outside interaction into a service that is on a kubernetes cluster.
There is a controller that can utilize load balancing.
Talk about storage in kubernetes. k8s
Storage is ephemeral in kubernetes. Pods are scrapped after a job is complete so storage is not viable on a pods. If you need to store on kubernetes, you must configure PVs or persistent storage.
What is RPO?
Recovery Point Objective. How much data can be lost during a DR situation? Hours worth of data can be lost. Minutes of data can be lost.
Banks… seconds of data loss.
Backups should be done at minimum on that RPO. Or more often… better.
Lower RPO, higher backup costs.
Different types of data in the same business may have different RPO.
What is RTO?
Recovery Time Objective
How long can a service or system be unavailable after a disaster?
Bank, lower RTO.
Systems could have different RTOs within the same business.
Clock starts when the issue occurs.
Clock stops when the system is up, tested, and being used by the client.
YAML
human readable data serialization language. Key value pairs.
can use strings, numbers, decimal, bools
values can be comma-separated lists of a thing.
Indentation delimiters. Must format correctly
Dictionary is a collection of key value pairs.
Can build complex data structures in YAML. Used for storage and passing of information.
JSON
JavaScript Object Notation
data interchange format. easy for humans and computers. Key value pairs.
JSON is delimited not by whitespace.. YAY
Object is a dictionary. Objects can be nested.
Array is ordered collection [ ] (in YAML is list)
Values contained in object.
Cloud Computing - 5 requirements and definition
Five characteristics determine if a system is a cloud.
1. On-demand self-service: Consumers can provision capabilities without needing interaction from a human.
- Broad Network Access: capabilities are available over the network and accessed through standard mechanisms. Remote desktop, HTTP, VPN. etc.
- Resource pooling - Pools (easier scaling) of resources to serve many consumers using a multi-tenant model (with isolation between consumers) with independence in location. No knowledge of where the hardware sits.
- Rapid elasticity - Capabilities can be provisions and released to scale rapidly elastically with demand. Resources appear to be unlimited. Demand ^ Cost ^, Demand down, cost down.
- Measured service: Resource use and be monitored, controlled, reported, and billed.
NIST created a definition - 800-145 doc
AWS, AZURE, GCP are these
Public vs private vs hybrid vs Multi Cloud
Public - platform available to the public.
Multicloud - You use multiple public cloud providers. AWS could fail and the business keeps chugging. Don’t use a single pane of glass providers. Lose a lot of what makes each vendor unique (AWS, GCP, Azure). Highly available.
Private - Outposts, azure stack, anthos. On Prem infrastructure. Private cloud still has to meet the cloud definition. Dedicated to the business. ON PREM CLOUD.
Hybrid cloud - Private mixed with public to create a single environment.
Hybrid environment/networking - Public cloud used with on prem infrastructure.
Cloud service models
Infrastructure stack?
Unit of consumption
Something as a service.
Infra/application stack - facility, infra, server, virtualization, OS, container, runtime, data, application
Parts of the stack are managed by different parties.
Unit of consumption - makes service models different.
Infrastructure as a service - infra up to virtualization is provided by vendor. Consumer consumes the operating system. Pay per time for the virtual machine. Lose flexibility because you can only use what the providers allows.
Platform as a service (PaaS) - Infra up to the container. Consumers consume the Runtime.
Software as a Service - Infra up to the data. Consumer consumes the application.
