Objective 3.3 - Secure Network Designs

0.0(0)
studied byStudied by 0 people
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/62

encourage image

There's no tags or description

Looks like no tags are added yet.

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

63 Terms

1
New cards
Active/active load balancing
all servers are active and load balancer can use any of the servers at any time.(Round robin and affinity are referred to this type)
2
New cards
Active/Passive Load Balancing
All traffic is sent to a server that is currently running, if that server fails, another server that is idle will turn on and replace the actions of that failed server.
3
New cards
Scheduling (Load Balancing)
Sends requests to servers using set rules.
4
New cards
Persistence Load Balancing
In load balancing, the configuration option that enables a client to maintain a connection with a load-balanced server over the duration of the session. Also referred to as sticky sessions.
5
New cards
Network Segmentation
A network arrangement in which some portions of the network have been separated from the rest of the network in order to protect some resources while granting access to other resources.
6
New cards
Virtual Local Area Network (VLAN)
a logical network that can separate physical devices without regard to the physical location of the device
7
New cards
Screened subnet
also known as DMZ; commonly uses two firewalls; one betweenpublic network and DMZ; other resides between the DMZ and the private network
8
New cards
East-west traffic
Design paradigm accounting for the fact that data center traffic between servers is greater than that passing in and out (north-south).
9
New cards
Extranet
A private electronic network that links a company with its suppliers and customers
10
New cards
Intranet
a network designed for the exclusive use of computer users within an organization that cannot be accessed by users outside the organization
11
New cards
Zero trust
Security design paradigm where any request (host-to-host or container-to-container) must be authenticated before being allowed.
12
New cards
Virtual Private Network (VPN)
A private data network that creates secure connections, or "tunnels," over regular Internet lines
13
New cards
Always-on VPN
A VPN that allows the user to always stay connected instead of connecting and disconnecting from it.
14
New cards
Split Tunnel VPN
An encrypted connection used with VPN's that only encrypts traffic going to private IP addresses used in the private network.
15
New cards
Full Tunnel VPN
all traffic goes through the encrypted tunnel while the user is connected to the VPN
16
New cards
Remote Access VPN
A user-to-LAN virtual private network connection used by remote users.
17
New cards
site-to-site VPN
A virtual private network in which multiple sites can connect to other sites over the Internet.
18
New cards
IPSec VPN
A virtual private networking technology that uses IPsec tunneling for security.
19
New cards
SSL/TLS VPN
VPN setup through a web browser, portal that uses SSL/TLS to secure traffic. Gives user access to the target network.

HTML5 VPN Using features of HTML5 to implement remote desktop/VPN connections via browser software (clientless).
20
New cards
Layer 2 Tunneling Protocol (L2TP)
A VPN protocol that lacks security features, such as encryption. However, L2TP can still be used for a secure VPN connection if it is combined with another protocol that provides encryption.
21
New cards
Network Access Control (NAC)
A technique that examines the current state of a system or network device before it is allowed to connect to the network.
22
New cards
out-of-band management
A switch management option that provides on-site infrastructure access when the network is down or complete remote access in cases of connectivity failures on the network, such as via a cellular signal, in order to interface with a switch.
23
New cards
Port Security
Disabling unused application/service ports to reduce the number of threat vectors.
24
New cards
Broadcast storm prevention
can include avoiding physical cable loops among switches, using spanning tree protocol (STP) on switches, and implementing port security.
25
New cards
Bridge Protocol Data Unit (BPDU)
Used by switches to share information with other switches that are participating in the Spanning-Tree Protocol
26
New cards
Bridge Protocol Data Unit (BPDU) guard
Switch port security feature that disables the port if it receives BPDU notifications related to spanning tree. This is configured on access ports where there any BPDU frames are likely to be malicious.
27
New cards
Loop prevention
A method of preventing switching loop or bridge loop problems. Both STP and RSTP prevent switching loops.
28
New cards
Dynamic host configuration protocol (DHCP) snooping
a preventative measure. The primary purpose is to prevent unauthorized DHCP servers from operating on a network.
29
New cards
Media access control (MAC) filtering
The method to secure a network by limiting which devices are allowed to connect to a network based on a list of MAC addresses kept by the wireless access points.
30
New cards
Network appliances
Devices that are dedicated to providing certain network services.
31
New cards
Jump servers (Network appliances)
a hardened server used to access and manage devices in another network with a different security zone.
32
New cards
Proxy servers
server (a computer system or an application) that acts as an intermediary for requests from clients seeking resources from other servers.
33
New cards
Forward proxy servers
forward requests for services from a client. It can cache content and record users' Internet activity.
34
New cards
Reverse proxy servers
Accept traffic from the internet and forward it to one or more internal web servers. The reverse proxy server is placed in the DMZ and the web servers can be in the internal network.
35
New cards
Network-Based Intrusion Detection System (NIDS)
A device that detects attacks and raises alerts. It is installed on network devices, such as routers or firewalls, and monitors network traffic.
36
New cards
network-based intrusion prevention system (NIPS)
A system that examines network traffic and automatically responds to computer intrusions.
37
New cards
Signature-based detection
Also known as knowledge-based detection or misuse detection, the examination of system or network data in search of patterns that match known attack signatures.
38
New cards
Heuristic/behavioral-based detection
Detection mode that, instead of trying to match known variants to a database, will measure traffic patterns against the baseline. Also known as Anomaly-based.
39
New cards
Anomaly Detection
the process of identifying rare or unexpected items or events in a data set that do not conform to other items in the data set
40
New cards
Inline vs. passive
Passive \n - Examine a copy of the traffic \n - No way to block in realtime \n \n Inline \n - Malicious traffic is immediately identified
41
New cards
HSM (Hardware Security Module)
A software or appliance stand-alone used to enhance security and commonly used with PKI systems.
42
New cards
Web Application Firewall (WAF)
An appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection
43
New cards
Next generation firewall
A hardware- or software-based network security system that is able to detect and block sophisticated attacks by filtering network traffic dependent on the packet contents.
44
New cards
stateful firewall
Inspects traffic leaving the inside network as it goes out to the Internet. Then, when returning traffic from the same session (as identified by source and destination IP addresses and port numbers) attempts to enter the inside network, the stateful firewall permits that traffic. The process of inspecting traffic to identify unique sessions is called stateful inspection.
45
New cards
stateless firewall
A firewall that manages and maintains the connection state of a session using the filter and ensures that only authorized packets are permitted in sequence.
46
New cards
Unified Threat Management (UTM)
comprehensive security management tool that combines multiple security tools, including firewalls, virtual private networks, intrusion detection systems, and web content filtering and anti-spam software
47
New cards
Network address translation (NAT) gateway
instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances.
48
New cards
Content/URL filter
A software application or gateway that filters client requests for various types of internet content (web, FTP, IM, and so on).
49
New cards
Open Source Firewall
software that can be used independently of the vendor. These are usually dedicated servers and are not used as jump servers.
50
New cards
proprietary firewall
A firewall that is owned by an entity who has an exclusive right to it.
51
New cards
hardware firewall
A hardware firewall is a physical filtering component that inspects data packets from the network before they reach computers and other devices on a network. A hardware firewall is a free-standing unit that does not use the resources of the computers it is protecting, so there is no impact on processing performance.
52
New cards
software firewall
A computer running firewall software. For example, the software firewall could protect the computer itself (for example, preventing incoming connections to the computer). Alternatively, a software firewall could be a computer with more than one network interface card that runs firewall software to filter traffic flowing through the computer.
53
New cards
appliance firewall
A standalone hardware device that performs only the function of a firewall, which is embedded into the appliance's firmware.
54
New cards
host-based firewall
A piece of software running on a single host that can restrict incoming and outgoing network activity for that host only.
55
New cards
virtual firewall
A firewall that is implemented in software within a virtual machine in cases where it would be difficult, costly, or impossible to install a traditional physical firewall.
56
New cards
Access Control List (ACL)
A clearly defined list of permissions that specifies what actions an authenticated user may perform on a shared resource.
57
New cards
Route security
The basis of communicating between networks and the need to understand that protocols connect these various networks for important functionality.
58
New cards
Quality of Service (QoS)
Policies that control how much bandwidth a protocol, PC, user, VLAN, or IP address may use.
59
New cards
Implications of IPv6
More IP address space, and no need for NAT, ARP spoofing is obsolete and IPSec is automatically built into the address
60
New cards
Port spanning/port mirroring
is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port.
61
New cards
Port taps
A hardware device inserted into a cable to copy frames for analysis.
62
New cards
Monitoring services
these services can monitor applications, the OS, or CPU and memory usage like top
63
New cards
File integrity monitors
Are a series of internal processes that can validate the integrity of an OS and application files.