Security and Backups

Line interactive UPS

surge protection more volrtage no interruption

on line double interactive UPS

always on no switching no interuption but even bette

PDU

power distribution unit usually a rack

generator

takes time to kick in need a UPS before it starts

active-passive redundancy

one fails other activates

active - active

both are active on same time

diverse paths

have multiple ISPs but need lots of configs to work

FHRP

first hop redundancy protocol, provide redudnacy for a local gateway with high avaibliility

VRRP

virtual router redundancy,device uses a virtual IP to get to gateway but multiple routers can use that IP

RTO

recovery time objective

RPO

recovery point objective

MTTR

mean time to repair

MTBF

mean time between failures

CIA

confiedntaily integritiy avaliablility

confidneialty

encyprtion acces control steganoghpry

avaliability

fault tolerance patching redundancy

integrity

data transffered hashing signatutes certifcations non repudation

2 vulnerability databases

CVE and NVD

zero trust

no trust even when within system constant re authenication

physical controls

access card vestibule security gaurd

tehcnical

hardware/software, disk encryption, active directory

adminstrative

policy procedures onboard off board, media handling

Physical segmentation vs logical segmentation

physical is 2 diferent routers oth is VLAN

DMZ

screened subnet addtional layer between internet

seperation of duties

multiple poeple are needed to do everything like having 2 keys

NAC

network access control use 802.1X to control physical interface security

802.1X

is used for port security

AAA

authenication authorization and accounting

TACACS

way to authenicate used by cisco

RADIUS

authenication used not just by windows

LDAP

users x.500 standard used in windows and apple

kerberos

single SSO mutual authenication

posture assessment

see if a device is secure enough to connect to a network

risk with vendors

put in a contract

swtich spoofing

used to VLAN hop by pretending to be a switch works if trunk negotation is auto enabled

double tagging

put 2 vlans tags once sent one is removed then forwarded to target VLAN stop use of native VLAN

rogue DHCP server

DHCP has no security, so monitor for rogue DHCP and use AD to authorize certain DHCP servers

virus

generic you isntall

worm

move from system to system without users knowledge

rootkit

take control of computer

what fixed deauth

802.11w is required for 802.11ac and up

tailgating vs piggybacking

piggybacking is with consent

RA gaurd

stop attacker from pretending to be an IPv6 router, so swtiches will validate an RA

DAI

dynamic ARP inspection, switch keeps IP tables and ignores bad requests

piority in security

pioritize control layer and disable unnecassary controls

port isolation

no device communication

dhcp snooping

will track IPs and notify of rogue DHCP servers

implicit vs explicit deny

explicity deny might be wanted for warning or tracking