Tech Fundamentals

Question 1

What are the layers in OSI model?

Answer 1

MEDIA: how data is moved from A to B
Physical - network cards etc - it is dum. retransmits regardless of collisions. Standards to transmit/receive data. No addresses and no access control. Broadcast.

Data link - Switch is a device example. Mac address table connects a mac address to a port (first frame sent). Collisions avoided through media control and collisions are isolated. Runs on top of functional physical layer and is smart. Frames - format container for sending info. Introduces mac address that belong to a device. MAC addresses are globally unique. frames are converted to signals in order to travel over the physical layer. Looks for carrier signal before sending to avoid collisions. Removes the encapsulation (frame) before sending the payload to the application. If collision, jam, random backoff, then retry again and again and again with longer backoff times.

Network - Router is an example of a device. Needs one or more layer 2 (data link) in order to work. Layer 3 moves data between data links. In order for layer 2 to talk to another layer 2, they must use the same protocol. Layer 3 can span between these different layer 2s. It adds IP (IP addresses), ARP (address resolution protocol,route tables, routers, and routing. Encapsulation is an IP Packet. Frame is removed from packet and repacketed with each hop on intermediate networks. Frame is wrapped around the packet for each hop to designate the new sender. Trace! Internet protocol uses packets with source and destination IP addresses along with the frame for payload. Protocol field contains data for layer 4. TCP, UDP, ICMP (pings). Denotes which protocol to pass the packet into. TTL (v 4)/ Hop Limit (v 6) defines how many hops a packet can do before being discarded.

HOST: How data is chopped up and translated
Transport
Session
Presentation
Application - browser

Question 2

WHat does each layer in the OSI know and depend on?

Answer 2

They know only about themselves and the layers below. EX 3 knows about 3, 2, 1

Question 3

What is a frame made up of?

Answer 3

Preamble signals start of frame
MAC HEADER:
Destination MAC address
Source MAC address - allows replies
Ether type - which protocol on layer three is sending the frame in (IP is an ether type)

PAYLOAD - data being sent

Frame check sequence - destination can check if corruption has occurred.

Question 4

What is an IP address structure IPv4?

Answer 4

Packets travel to the IP address. Dotted decimal notation. Uses 4 decimal numbers from 0 - 255.
IP addresses have two parts. Network and Host.

Binary is underlying the IP address represented with a dotted decimal. If the network component between two IP addresses matches, then the addresses are on the same network.

Like a house number being on the same street as another house number. The network portion of the IP address is the street. The host ID’s a specific house on that street.
IP addresses need to be unique, especially on local networks.

Subnet masks are on layer 3. They allow an IP address to determine whether another IP address is on the same network.

Question 5

Route tables & routes

Answer 5

Every router has at least 1 route table. destination + next hop or target. Every packet the router checks the destination.

Question 6

What is the Default route?

Answer 6

The least specific route is in a route table. Usually, the router is for home networks.

Question 7

Broad Gateway Protocol

Answer 7

A set of connected routers that communicate the networks they know about.

Question 8

What does ARP do?

Answer 8

Address resolution protocol. Gives you the MAC address for a given IP address. within a local network data is moved via frames. Does a roll call to find the matching IP address. Get’s the MAC address from that ARP on the destination. Strips the frame and de-encapsulates the data. Layer 2 is used for local communications.

Question 9

What can layer 3 NOT do?

Answer 9

Channels of communication src ip are used to dest IP only.
It does not care about the ordering of packets that it sends between the source and destination.

Question 10

Layer 4 & 5 Transport & Session

Answer 10

TCP and UDP are two protocols that run on top of IP. TCP for ordering and accuracy. Creates bi-directional comms. UDP is single direction (great for twitch…right…RIGHT?!)

Question 11

TCP segments - talk about it

Answer 11

Segments are unique to TCP. Segments are placed inside packets. Segments don’t care about the IP for dest or src.

Segments - have src and dest PORTS instead. TCP IP combo has an IP address and a PORT. Single channel, single conversation, is identified by the combo of IP & Port.
Also, having sequence NUMBER puts a segment in its place. 1/23, 4/23, 2/23 Acknowledge field. receiver denotes the speed of packet uptake with acknowledgment.
CheckSUM will ensure that every packet makes its way there.
TCP header is short for all these fields in the TCP segment

Question 12

What is a Network ACL in AWS?

Answer 12

Network ACL (access control list) is a stateless firewall that uses initiating traffic and subsequent traffic to set rules to allow traffic in OR out. That means TWO RULES per connection (in and out)

Question 13

What will a security group firewall setup rules look like?

Answer 13

If inbound or outbound is allowed then the opposite is true as well. This is known as a stateful firewall.

Question 14

What is the difference between stateless and stateful firewalls?

Answer 14

Stateful firewalls require only one rule to allow traffic. if inbound or outbound traffic are allowed then the inverese is also allowed. Network access control list (ACL)

Stateless firewalls require two rules per comms channel. One which will allow inbound and one which will allow outbound. Security groups.

Question 15

NAT Network Address Translation

Answer 15

Allow multiple devices to share a single public IP address. Process to help with the shortage of IPv4 addresses. Translates to single then translates back.

Question 16

What are types of NATs?

Answer 16

Static. 1:1 both directions - Needs to be consistent (Gateway)
Dynamic - pool of public to use for private. Efficient with many private to few public.
Port address Translation (PAT) - many private to a single IP address. NAT Gateway.
None for IPv6 (SO MANY ADDRESSES!)

Question 17

Describe Static NAT

Answer 17

Private IPS can’t comm over internet. Need to translate private IP to public IP address and translate it back. The NAT device (or router) has a NAT table that stores the translations.
Router sees the packet being sent public IP so it changes the private IP into a public IP and puts that in the source IP.
Internet gateway AWS does this.

Question 18

Describe Dynamic NAT

Answer 18

I{P addresses are assigned from a pool to devices sending packets to the public internet. These assignments are temporary. Multiple private devices can use the same IP so long as they do not use the IP at the same time.
IF no IP available, access to public internet will fail.

Question 19

Describe Port address translation (PAT)

Answer 19

How the AWS NAT gateway works.
n:1 many private IPs
Uses ports to allow multiple private IPS to run on a single public IP address. Information to connect the private and public IP/Port combination so that translation can be done in both directions. Source port is randomly assigned.

Question 20

IPv4 Info how many addresses?
How do you get one?
start and end?
classes?

Answer 20

over 4.3 billion addresses
it is allocated - it cannot be random
part is private
0.0.0.0
255.255.255.255
Class A: 0 - 127.255.255.255 HUGE networks (businesses)
Class B: 128.0.0.0
Used for larger business but didn’t need class A
first 2 octet for network last two is for subnets etc
Class C: over 2 million networks
first 3 network rest is for host or subnet
Class D: controlled by regional authorities

Question 21

Describe IPv6
How many?

Answer 21

340 Trillion, Trillion, Trillion addresses.
HUGE!

Question 22

Subnetting IPv4

Answer 22

/16 network is prefix - 1st two are the network
/8 is a class A network
Dividing a network into parts to allow more networks
/16 divided into two /17’s
/17’s are both divided into 2 more /18’s
At the end you would get 4 /18’s

Breaking down a larger network into many smaller networks. (each have a higher prefix.

Halfing the ranges progressively.

Question 23

DDOS attacks Explain them

Answer 23

There are a few ways to overload websites or internet-based services.
Application layer - HTTP floods (inbalnace in processes delivery vs requests). Making a request is easy. Responding is hard.

Protocol - SYN Flood Spoof a source attempts to contact and hangs connection waiting to get an acknowledgment from the fake requestor.

Volumetric - DNS amplification large amt of data.
Often orchestrated via compromised machines (botnets) less size of botnet. Protocol imbalance. LARGE responses with small requests needed to initiate. Legitimate requests will be laggy. Impacts the data connection. Takes down larger websites.

Cannot be combated with normal network protections while still keeping the service available.

Question 24

VLAN is…

Answer 24

A virtual local area network. Segmenting a network for different purposes. Security, telephony, support, floors, finance, etc. VLAN implemented with layer 2. Frames with dest and src MAC addresses.
.1Q changes frames by adding a field - enables VLAN ID or VID.
separates frames into logical networks.
QnQ - provider bridging - another VLAN field on a frame. Keep same field from before then add an S TAG or service tag.
If two VLANS want to communicate they must use a router.
Isolated traffic!
Separate network. Won’t see each other’s traffic.

Question 25

.1Q VLAN Describe it…

Answer 25

truck port has all VLANIDs associated to it. ACCESS has one. Trunk is a connection between two .1Q devices.
Access ports comm with stations using ethernet.
VLAN switch forwards to other access ports.
AWS Direct connect vifs

Question 26

IP conversion - what does the table look like?

What would 133.55.55.8 be in binary?

Answer 26

128 | 64 | 32 | 16 | 8 | 4 | 2 | 1

Question 27

SSL & TSS

Answer 27

High level same thing.
Secure socket layer. Old
Transport Layer Security. New
Privacy and data integrity between client and server.

TLS -
Encryption privacy: (asyemetric encryption) use symmetric encryption long term. TLS moves from asym to symm. Asym is expensive.
ID verification: majority client verifies that server is the target.
Ensures reliability

Question 28

Cipher suites

Answer 28

A set of protocols used by TLS. Key exchange, bulk encrypt, message auth code.

Groups of these known as cipher suite.

Happens right after TCP connection.
Client hello, server hello included is the cipher being used and server certificate, client validates ID.

Question 29

Authentication

Answer 29

Server is valid, key is valid, and

Uses a certificate authority to validate the cert from the server.

Question 30

Key exchange phase

Answer 30

move from asym to symm encryption. Cheaper encrypt and decrypt. Client gens pre-master key - encrypted with the server’s cipher. Server must decrypt to get the key. Used over the lifetime of the connection.

Question 31

Border Gateway Protocol

Answer 31

Routing on layer 3. How data moves through points.
Lot of Autonomous Systems. The internals of a network is a black box to BGP.

Each system is assigned a number ASN by IANA. BGP uses this number to tell one network from another.

Operates over TCP on port 179. Error correction and flow control.

It is not automatic. Must create a relationship between two ASNs.

Those networks get to learn about each other and they communicate this out to any other network. Each system exchanges network topology information.

Path vector protocol - what is the best path between a peer? ONLY that path. AS path. Does not take into account speeds, quality etc. It only cares about the most direct and shortest path.

IBGP or EBGP
I is internal E is external.

Question 32

When might you want to use Jumbo Frames?

Answer 32

Whenever you can! Big but at the end tho…

Standard has a max transmission unit of 1500 bytes. Anything bigger is a jumbo frame.
Max size of 9000 bytes.
They can help improve performance.
Always overhead on a frame regardless of type.
High ratio of overhead to payload in standard.

More payload data per frame and less overhead in total. More efficient however, you need to make sure both sides support jumbo. Not all AWS services allow jumbo frames.

Only same region peering, direct connect and TGW up to 8500 support jumbo frames.

Question 33

Application Firewalls (Layer 7).

Answer 33

3&4 ports, IP, packets
Layer 5 sessions - request and response paired into a session
Layer 7 sees all. Understands many protocols including HTTP. Headers, hosts, data, etc. All the way down to layer 1.
Between two HTTPS connection the Layer 7 firewall can see all content as HTTP or plain text.
React to data, flows, and content.

Question 34

IPSEC VPN

Answer 34

Group of protocols to setup secure tunnels between networks over the public internet.

Authentication allows connection. Encrypted always.
Uses a phase 1 tunnel to setup a route tunnel in phase 2 that travels inside of the phase 1 tunnel. For route based VPN all traffic is treated the same. For policy based you can differentiate how different types of traffic is handled. More setup more control.

Question 35

Fiber optic cables

Answer 35

Transfers light over glass or plastic. They have much higher speeds. Resistant to Electromagnetic and water ingress. More consistent and reliable than copper.

Made up of core, cladding, and buffer.
Core is 9 microns across. TINY about the size of a human hair.
Cladding - has lower refractive rating. Keeps light bouncing down the core.
Buffer - physical safety for the cladding and core. j
Jacket - outer jacket usually colored with varied meanings for the cable’s function.

single mode - small core yellow jacket sometimes. Tiny core means straight path down the cable. lasers used. Long distance with excellent speed. 10G and up.

Multi mode - bigger core and usually orange or aqua. different colors of light travelling down the same cable and don’t interfere. Tends to be faster. More distortion over longer distances though. LED based optics. Cheaper. OM2, 3, 4

Transceivers allows network equipment connection. SFP generates or receives light. Translates light to data and data to light.

Question 36

Assym vs Symm encryption
Plus signing
Steganography
Envelope encryption / Amazon KMS

Answer 36

ASYM is harder but more secure for initial. The public key can only encrypt. The private key can only decrypt.

Signing - private key used to sign the message. Use public key to prove signing was done with private key.

Steganography - not tied to a key. Invisible ink style. Hiding data inside other data. Key number or pattern is used to reveal the

KMS key management service, Key encryption key (KEK), Can’t access KMS keys directly through KMS.
DEK data encryption key generated by KMS. KMS keys are SYMM. DEK must be decrypted by the KMS’s KEK.
KMS does not store the DEK.

Question 37

HSM Hardware Security Modules

Answer 37

Manages and stores your keys. Accessible only through a very rigorous process. Keys never leave the device. Authentication takes place inside the HSM.

Question 38

Digital signatures

Answer 38

Verifies data integrity and authenticity.
Hash is taken of the data, but the original data remains unaltered.
Can use private key to validate data using a chain of trust.

Question 39

Hashing

Answer 39

Turns ANY data into a fixed length string. BitCoin uses hashing.
Hadh function is a piece of code, and a few are used repetitively.
Any change no matter how minor will give a different hash value.
Cannot get the original data back from the hash. Given the same data you will always get the same hash value.
One way only.
User name and password.
instead of sending password, we send hash of password. All server needs to do is verify that the hash matches the one on record.
MD5 is poop.
Collision is a risk. Getting the same hash values for two different pieces of data. (MD5 does this)

Question 40

DNS Domain Name System - what does it do?

Answer 40

COnnects a name to an IP address. Big contact database.
www.netflix.com -> DNS Server -> IP Address -> Computer connects to IP address

Question 41

DNS - why do we need lots of DNS servers?

Answer 41

Traffic volume.
Single point of failure.
DNS is a HUGE database - around 341 million domains. Each has many records.
Data will need updating.
We need to delegate control to a region or entity.
DNS ZONE - each zone has records - stored on a disk called a ZONE FILE.
DNS Name Server - serves one or more zones
Authoritative - real records
Non-authoritative - Cached copies of records or zones

Hierarchical structure.
Splits up the data and load.
ROOT - hosted on DNS name server. Runs on root servers 13 of them. This is the point that all queries start. Many entities manage these roots. NASA, govt,
Stores info on top level domains of DNS. Generic (.com) and country (.eu etc.)
TLDs (.com, .edu, .io) -> Top Level Domain servers -> Name servers -> Domain server (zone and zone files)

AWS Route53 is a domain registrar
AWS Hosted Zones is a Hosting Provider

Question 42

DNSSEC

Answer 42

Secure addon for DNS.
Provides data origin authentication and data integrity protection.
Establishes a chain of trust with cryptography using public keys.
Additive - does not replace DNS.
Does not show what the data should have been - only tells you that it cannot be validated from the source.
Gives an RRSIG on return. RR is resource record. Uses private and public keys to encrypt.
RRSET is signed. Signed RRSET is stored along with RRSIG. If anything changes, the RRSIG must be updated with the private key. If they are different, then the RRSIG is invalid.
DNSKEY is the public piece of the keys used to encrypt. 256 key is a zone key, 257 is a key signing key.
DNSKEY is signed by the KSK.

Question 43

What is an A record?

Answer 43

A DNS record containing an IPv4 address.

Question 44

RRSET what are they? What uses them?

Answer 44

Resource Record Set - a set of records that are the sasnme name and same type. mail exchange with same name. They make it easier to deal with records in sets. Used within DNSSEC. RRSETs are what are validated by DNSSEC

Question 45

What is a ZSK Zone signing key used for?

Answer 45

Used to sign a RRSET to validate that the DNS record set is still valid. The private part does the signing. The public part does the validating.

Question 46

What three things does a DNSSEC Resolver need to verify a DNS record?

Answer 46

The record set, the DNSKEY (Zone signing key), and the record set signature.

Question 47

How can you verify that a Zone Signing Key is valid in DNSSEC?

Answer 47

Key Signing Key is used to sign a Zone Signing Key. It lives outside the zone.

Question 48

What steps happen in a record query in DNSSEC?

Answer 48

Resolver queries for a record.
Resolver gets record along with RRSIG created by ZSK.
Resolver gets the ZSK’s public key and checks the publics key’s signature against the Key Signing Key.
The resolver trusts the ZSK and uses it to verify the DNS RRSET.

Question 49

what is a DS record?

Answer 49

A hash of the child’s key signing key that is stored with the parent in the DNS tree.

Question 50

What are the levels of parent/child in the DNS tree?

Answer 50

ROOT
TLD ZONE
DOMAIN ZONE - Second level & Sub domains
HOSTNAMES
DNS RECORDS

Question 51

Why do we trust the root key signing key?

Answer 51

It is explicit. It is an anchor. No parent zone to root zone. It just is.
Root Signing Ceremony
Two locations, CA and VA. Private DNS root key signing key. They are stored. Trust in them is hardcoded.

The keys are locked away and stored in very secured ways. Access is controlled via HSM (hardware security module). Must have the needed group of people in order to access them.

This is a physical meeting. Pool of individuals. This is all very procedural. the output is a new RRSIG on the public root DNSKEY.

Question 52

What is the chain of trust created from in DNSSEC?

Answer 52

Root has trust implicitly. Below are hashes that can be validated via public keys.

Question 53

What is Kubernetes?

Answer 53

A container orchestration system. Automate deployment, scaling, and mgmt of containerized applications. Like Docker, except smart and automated.

Question 54

What is a cluster in kubernetes?

Answer 54

A highly available cluster of compute resources organized to work as a single unit is managed by the control plane, which schedules, scales, and deploys.

It contains nodes, which are virtual or physical servers. Each node is required to have software that enables the cluster control plane to manage it, such as docker and kubelet.

Question 55

Talk about the control plane in kubernetes.

Answer 55

cloud-controller-manager - enables connection to cloud platforms - optional
kube-controller-manager - collection of processes
kube-scheduler - ensures that the pods are used efficiently.
kube-apiserver is the interface
Nodes contrain. Pods are the smallest unit of compute in kubernetes and are non-permanent. They are temporarily created then disposed of after their job is done.

Question 56

What is an ingress?

Answer 56

allows outside interaction into a service that is on a kubernetes cluster.
There is a controller that can utilize load balancing.

Question 57

Talk about storage in kubernetes. k8s

Answer 57

Storage is ephemeral in kubernetes. Pods are scrapped after a job is complete so storage is not viable on a pods. If you need to store on kubernetes, you must configure PVs or persistent storage.

Question 58

What is RPO?

Answer 58

Recovery Point Objective. How much data can be lost during a DR situation? Hours worth of data can be lost. Minutes of data can be lost.
Banks… seconds of data loss.
Backups should be done at minimum on that RPO. Or more often… better.
Lower RPO, higher backup costs.
Different types of data in the same business may have different RPO.

Question 59

What is RTO?

Answer 59

Recovery Time Objective
How long can a service or system be unavailable after a disaster?
Bank, lower RTO.
Systems could have different RTOs within the same business.
Clock starts when the issue occurs.
Clock stops when the system is up, tested, and being used by the client.

Question 60

YAML

Answer 60

human readable data serialization language. Key value pairs.

can use strings, numbers, decimal, bools

values can be comma-separated lists of a thing.

Indentation delimiters. Must format correctly

Dictionary is a collection of key value pairs.

Can build complex data structures in YAML. Used for storage and passing of information.

Question 61

JSON

Answer 61

JavaScript Object Notation
data interchange format. easy for humans and computers. Key value pairs.
JSON is delimited not by whitespace.. YAY

Object is a dictionary. Objects can be nested.
Array is ordered collection [ ] (in YAML is list)
Values contained in object.

Question 62

Cloud Computing - 5 requirements and definition

Answer 62

Five characteristics determine if a system is a cloud.
1. On-demand self-service: Consumers can provision capabilities without needing interaction from a human.

2. Broad Network Access: capabilities are available over the network and accessed through standard mechanisms. Remote desktop, HTTP, VPN. etc.
3. Resource pooling - Pools (easier scaling) of resources to serve many consumers using a multi-tenant model (with isolation between consumers) with independence in location. No knowledge of where the hardware sits.
4. Rapid elasticity - Capabilities can be provisions and released to scale rapidly elastically with demand. Resources appear to be unlimited. Demand ^ Cost ^, Demand down, cost down.
5. Measured service: Resource use and be monitored, controlled, reported, and billed.

NIST created a definition - 800-145 doc
AWS, AZURE, GCP are these

Question 63

Public vs private vs hybrid vs Multi Cloud

Answer 63

Public - platform available to the public.
Multicloud - You use multiple public cloud providers. AWS could fail and the business keeps chugging. Don’t use a single pane of glass providers. Lose a lot of what makes each vendor unique (AWS, GCP, Azure). Highly available.
Private - Outposts, azure stack, anthos. On Prem infrastructure. Private cloud still has to meet the cloud definition. Dedicated to the business. ON PREM CLOUD.
Hybrid cloud - Private mixed with public to create a single environment.
Hybrid environment/networking - Public cloud used with on prem infrastructure.

Question 64

Cloud service models

Infrastructure stack?

Unit of consumption

Answer 64

Something as a service.

Infra/application stack - facility, infra, server, virtualization, OS, container, runtime, data, application
Parts of the stack are managed by different parties.

Unit of consumption - makes service models different.

Infrastructure as a service - infra up to virtualization is provided by vendor. Consumer consumes the operating system. Pay per time for the virtual machine. Lose flexibility because you can only use what the providers allows.

Platform as a service (PaaS) - Infra up to the container. Consumers consume the Runtime.

Software as a Service - Infra up to the data. Consumer consumes the application.