Network2 Flashcards by Sophia Hammond

Protocols at the Transport layer (layer 4) are concerned with delivery of multiplexed application data.

They instruct a host what to do with the data in a packet, and optionally, how to verify that it is complete.

How well did you know this?

Not at all

Perfectly

________ are preassigned by the Internet Assigned Numbers Authority (IANA) to “well-known” server applications.

Port numbers 0 through 1,023; Other server applications have been registered in the port range 1,024 through 49,151.

How well did you know this?

Not at all

Perfectly

_______ are designated for private or dynamic use.

The remaining ports (up to 65,535)

How well did you know this?

Not at all

Perfectly

Protocol in the TCP/IP suite operating at the transport layer to provide connection-oriented, guaranteed delivery of packets. works at the Transport layer to provide connection-oriented, guaranteed communication using acknowledgments to ensure that delivery has occurred. an be used for unicast transmission only.

The Transmission Control Protocol (TCP)

How well did you know this?

Not at all

Perfectly

takes data from the Application layer as a stream of bytes and divides it up into segments, each of which is given a header. segments become the payload of the underlying IP datagrams.

TCP

How well did you know this?

Not at all

Perfectly

The main fields in the header of a TCP segment are the following:

Source port
Destination port
Sequence number
Ack number
Data length
Flags
Window
Checksum
Urgent pointer
Options

How well did you know this?

Not at all

Perfectly

TCP port of sending host.

Source port

How well did you know this?

Not at all

Perfectly

TCP port of destination host.

Destination port

How well did you know this?

Not at all

Perfectly

The ID number of the current segment (the sequence number of the last byte in the segment). This allows the receiver to rebuild the message correctly and deal with out-of-order packets.

Sequence number

How well did you know this?

Not at all

Perfectly

The sequence number of the next segment expected from the other host (that is, the sequence number of the last segment received +1). Packets might be out of order because they are delayed, but they could also be lost completely or arrive in a damaged state. In the first case, the lack of acknowledgment results in the retransmission of data and, in the second case, a Negative Acknowledgment (NAK or NACK) forces retransmission.

Ack number

How well did you know this?

Not at all

Perfectly

Length of the TCP segment.

Data length

How well did you know this?

Not at all

Perfectly

Type of content in the segment (ACK, SYN, FIN, and so on).

Flags

How well did you know this?

Not at all

Perfectly

The amount of data the host is willing to receive before sending another acknowledgment. TCP’s flow control mechanism means that if it is getting overwhelmed with traffic, one side can tell the other to slow the sending rate.

Window

How well did you know this?

Not at all

Perfectly

Ensures validity of the segment. The checksum is calculated on the value of not only the TCP header and payload but also part of the IP header, notably the source and destination addresses. Consequently, the mechanism for calculating the checksum is different for IPv6 (128-bit addresses) than for IPv4 (32-bit addresses).

Checksum

How well did you know this?

Not at all

Perfectly

If urgent data is being sent, this specifies the end of that data in the segment.

Urgent Pointer

How well did you know this?

Not at all

Perfectly

Allows further connection parameters to be configured. The most important of these is the maximum segment size. This allows the host to specify how large the segments it receives should be, minimizing fragmentation as they are transported over data link frames.

Options

How well did you know this?

Not at all

Perfectly

is typically established to transfer a single file, so a client session for something like a webpage (HTTP) might involve multiple _________ being opened with the server.These connections are managed using handshake transactions, which make use of a number of TCP flags.

TCP connections

How well did you know this?

Not at all

Perfectly

A connection is established using a three-way handshake:

The client sends a segment with the TCP flag SYN set to the server with a randomly generated sequence number.
The client enters the SYN-SENT state.
The server, currently in the LISTEN state (assuming it is online), responds with a SYN/ACK segment, containing its own randomly generated sequence number.
The server enters the SYN-RECEIVED state.
The client responds with an ACK segment.
The client assumes the connection is ESTABLISHED.
The server opens a connection with the client and enters the ESTABLISHED state.

How well did you know this?

Not at all

Perfectly

To close a connection, also referred to as teardown, the following basic steps are performed:

The client sends a FIN segment to the server and enters the FIN-WAIT1 state.
The server responds with an ACK segment and enters the CLOSE-WAIT state.
The client receives the ACK segment and enters the FIN-WAIT2 state.
The server sends its own FIN segment to the client and goes to the LAST-ACK state.
The client responds with an ACK and enters the TIME-WAIT state.
After a defined period, the client closes its connection.
The server closes the connection when it receives the ACK from the client.

How well did you know this?

Not at all

Perfectly

also works at the Transport layer, but unlike TCP, it is a connectionless, nonguaranteed method of communication with no acknowledgments or flow control.

The User Datagram Protocol (UDP)

How well did you know this?

Not at all

Perfectly

is suitable for applications that send small amounts of data in each packet and do not require acknowledgment of receipt. It is used by Application layer protocols that need to send multicast or broadcast traffic. It may also be used for applications that transfer time-sensitive data but do not require complete reliability, such as voice or video.

UDP

How well did you know this?

Not at all

Perfectly

This table shows the structure of a UDP header.

Source port
Destination port
Message length
Checksum
The header size is 8 bytes, compared to 20 bytes (or more) for TCP.

How well did you know this?

Not at all

Perfectly

allows you to check the state of ports on the local host. You can use ______ to check for service misconfigurations, such as a host running a web or FTP server that a user installed without authorization. You may also be able to identify suspicious remote connections to services on the local host or from the host to remote IP addresses.

netstat

How well did you know this?

Not at all

Perfectly

displays all open ports, including both active TCP and UDP connections and ports in the listening state.

netstat -a

How well did you know this?

Not at all

Perfectly

On Linux, running netstat without switches shows active connections of any type. If you want to show different connection types, you can use the switches for Internet connections:

TCP = -t UDP = -u raw connections = -w UNIX sockets/local server ports = -x includes ports in the listening state = -a shows only ports in the listening state, omitting est. connections = -l

port number 20

TCP FTP-data

port number 21

TCP FTP

Port number 22

TCP SSH/SFTP

port number 23

TCP Telnet

port number 25

TCP SMTP

port number 53

TCP/UDP domain

port number 67

UDP bootps (DHCP server)

port number 68

UDP bootpc (DHCP client)

port number 69

UDP TFTP

port number 80

TCP HTTP

Port number 110

TCP POP

port number 123

UDP NTP/SNTP

port number 143

TCP IMAP

port number 161

UDP SNMP

port number 162

UDP SNMP-trap

port number 389

TCP/UDP LDAP

port number 443

TCP HTTPS

port number 445

TCP SMB

port number 514

UDP Syslog

port number 546

UDP DHCPv6 client

port number 547

TCP DHCPv6 server

port number 587

TCP SMTPS

port number 636

TCP LDA

port number 993

TCP IMAPS

port number 995

TCP POP3S

port number 1433

TCP SQL server

port number 1521

TCP SQLNET

port number 3306

TCP MYSQL

port number 3389

TCP RDP

port number 5004

UDP RTP

port number 5005

UDP RTCP

port number 5060

TCP/UDP SIP

port number 5061

TCP/UDP SIPS

Which TCP flag is set by the client to initiate the three-way handshake? -ACK -SYN -FIN -RST

-SYN The SYN flag is used by the client to initiate the TCP three-way handshake, signaling the server that it wants to establish a connection. The ACK flag is used to acknowledge the receipt of packets, including the SYN and SYN/ACK packets during the handshake, but it is not used to initiate the handshake. The FIN flag is used to initiate the closing of a TCP connection, not to start it. The RST flag is used to abruptly reset a connection, not to initiate the three-way handshake.

A DHCP server must be allocated a _____ and configured with a range (or pool) of ______ plus option values to allocate.

static IP address; IP addresses and subnet masks

A range of addresses and options configured for a single subnet is referred to as a _____

scope; To define a scope, you must provide a start and end IP address along with a subnet mask. The server maintains a one-to-one mapping of scopes to subnets. That is, no scope can cover more than one subnet, and no subnet can contain more than one scope.

When the DHCP server offers a configuration to a client, at a minimum it must supply an IP address and subnet mask. Typically, it will also supply other IP-related settings, known as ______. Some widely used options include the following:

DHCP options. The default gateway (IP address of the router). The IP address(es) of DNS servers that can act as resolvers for name queries. The DNS suffix (domain name) to be used by the client. Other useful server options, such as time synchronization (NTP), file transfer (TFTP), or VoIP proxy.

What does the client do to ensure the offered IP address is not already in use? -Sends a DHCPDISCOVER packet -Sends a DHCPOFFER packet -Broadcasts an ARP message -Sends a DHCPREQUEST packet

-Broadcasts an ARP message; After receiving a DHCPACK, the client broadcasts an ARP message to ensure the offered IP address is not already in use. Sending a DHCPDISCOVER packet is used to find DHCP servers, not to check for IP address conflicts. Sending a DHCPOFFER packet is a server action, not a client action. Sending a DHCPREQUEST packet is used to request an IP address, not to check for its availability.

Mechanism for Windows hosts configured to obtain an address automatically that cannot contact a DHCP server to revert to using an address from the range 169.254.x.y. This is also called a link-local address. If a Windows host does not receive a response from a DHCP server within a given time frame, it selects an address at random from the range 169.254.1.1 to 169.254.254.254.

Automatic Private IP Addressing (APIPA); This type of addressing is referred to as link local in standards documentation (RFC 3927).

The main functions of Neighbor Discover (ND) are as follows:

Address autoconfiguration Prefix discovery Local address resolution Redirection

Enables a host to configure IPv6 addresses for its interfaces automatically and detect whether an address is already in use on the local network, by using neighbor solicitation (NS) and neighbor advertisement (NA) messages.

Address autoconfiguration

Enables a host to discover the known network prefixes that have been allocated to the local segment. This facilitates next-hop determination (whether a packet should be addressed to a local host or a router).

Prefix discovery

Prefix discovery uses router solicitation (RS) and ____ An ___contains information about the network prefix(es) served by the router, information about autoconfiguration options, plus information about link parameters, such as the MTU and hop limit. Routers send ____ periodically and in response to a router solicitation initiated by the host.

router advertisement (RA) messages.

Allows a host to discover other nodes and routers on the local network (neighbors). This process also uses neighbor solicitation (NS) and neighbor advertisement (NA) messages.

Local address resolution

Enables a router to inform a host of a better route to a particular destination.

Redirection

IPv6 uses a more flexible system of address autoconfiguration called _____. Mechanism used in IPv6 for hosts to assign addresses to interfaces without requiring manual intervention.

stateless address autoconfiguration (SLAAC); The host generates a link local address and uses Neighbor Discovery (ND) messages to test that it is unique. The host listens for a router advertisement (RA) or transmits a router solicitation (RS) using ND protocol messaging. The router can either provide a network prefix, direct the host to a DHCPv6 server to perform stateful autoconfiguration, or perform some combination of stateless and stateful configuration.

IPv6 uses an updated version of ICMP. The key new features are the following:

Error messaging Informational messaging

ICMPv6 supports the same sort of destination unreachable and time exceeded messaging as ICMPv4. One change is the introduction of a Packet Too Big class of error. Under IPv6, routers are no longer responsible for packet fragmentation and reassembly, so the host must ensure that they fit in the MTUs of the various links used.

Error messaging

ICMPv6 supports ICMPv4 functions, such as echo and redirect, plus a whole new class of messages designed to support ND and MLD, such as router and neighbor advertisements and solicitations.

Informational messaging

As IPv6 does not support broadcast, clients use the _______ to discover a DHCP server. DHCPv6 uses ports ______, rather than ports 68 and 67 as in DHCPv4.

multicast address ff02::1:2; 546 (clients) and 547 (servers)

a client obtains a network prefix from a router advertisement and uses it with the appropriate interface ID. The router can also set a combination of flags to tell the client that a DHCP server is available. If so configured, the client solicits a DHCPv6 server using the multicast address ff02::1:2 and requests additional configuration information.

In stateless mode

means that a host can also obtain a routable IP address from a DHCPv6 scope. In either mode, a DHCPv6 server can be used to supply options information, such as DNS server addresses, DNS suffix/domain lists, time servers, and so on.

stateful mode

What is the primary role of a DHCPv6 server in an IPv6 network? -To locate the default gateway for clients -To generate host addresses with suitable network prefixes -To provide additional option settings -To support broadcast messages for IPv6 clients

-To provide additional option settings The correct answer is to provide additional option settings. In an IPv6 network, the Stateless Address Autoconfiguration (SLAAC) process can automatically locate the default gateway and generate host addresses with suitable network prefixes. Therefore, the primary role of a DHCPv6 server is often to provide additional option settings rather than leases for host IP addresses.

Which IPv6 autoconfiguration method allows a host to generate a link-local address and verify its uniqueness? -DHCPv6 -SLAAC -Manual configuration -ARP

-SLAAC

Which Neighbor Discovery Protocol function enables a router to inform a host of a better route to a particular destination in an IPv6 network? -Address autoconfiguration -Prefix discovery -Local address resolution -Redirection

-Redirection The redirection function of the Neighbor Discovery Protocol allows a router to inform a host about a more efficient route to reach a specific destination. This mechanism helps optimize the routing of packets within an IPv6 network by directing traffic through paths that are potentially shorter or less congested. Address autoconfiguration is a process that allows IPv6 devices to automatically configure an IP address for their interfaces. It does not involve informing hosts about better routes to destinations. Prefix discovery is a function that enables a host to discover the network prefixes that are available on the local link. While it is crucial for determining the scope of the network, it does not provide information about routing to specific destinations. Local address resolution is used to discover the link-layer addresses (such as MAC addresses) of other nodes on the same local network. This process is similar to ARP in IPv4 but does not involve directing traffic or informing hosts of better routes.

What is the role of Router Advertisements (RAs) in the IPv6 address configuration process? -To request an IP address from a DHCPv6 server -To inform hosts of network prefixes and autoconfiguration options -To encrypt data packets sent between hosts and routers -To assign static IP addresses to devices

-To inform hosts of network prefixes and autoconfiguration options

What is a recommended action before reconfiguring DHCP server scopes? -Increase the lease duration. -Lower the lease duration. -Disable the DHCP server temporarily. -Inform all network users about the change.

-Lower the lease duration. Lowering the lease duration before making changes to DHCP server scopes forces all clients to renew their leases more frequently. This ensures that clients' IP configurations are updated more quickly once the changes are made, minimizing potential connectivity issues.

a "friendly" name is also typically assigned to each host. There are two types of names:

host names and fully qualified domain names (FQDNs).

is assigned to a computer by the administrator, usually when the OS is installed. The host name needs to be unique on the local network.

A host name

is used to provide a unique identity for the host belonging to a particular network. Unique label specified in a DNS hierarchy to identify a particular host within a subdomain within a top-level domain.

a fully qualified domain name (FQDN)

Given that, FQDNs must follow certain rules:

The host name must be unique within the domain. The total length of an FQDN cannot exceed 253 characters, with each label (part of the name defined by a period) no more than 63 characters (excluding the periods). A DNS label should use letter, digit, and hyphen characters only. A label should not start with a hyphen. Punctuation characters such as the period (.) or forward slash (/) should not be used. DNS labels are not case-sensitive.

is a global hierarchy of distributed name server databases that contain information on domains and hosts within those domains. At the top of the DNS hierarchy is the root, which is represented by the null label, consisting of just a period (.). There are 13 root level servers (A to M).

The Domain Name System (DNS)

DNS query type whereby a server responds with information from its own data store only. This means that a name server responds to a query with either the requested record or the address of a name server at a lower level in the hierarchy that is authoritative for the namespace.

iterative lookups

DNS query type whereby a server submits additional queries to other servers to obtain the requested information. means that if the queried server is not authoritative, it does take on the task of querying other name servers until it finds the requested record or times out.

A recursive lookup

Data file storing information about a DNS zone. The main records are as follows: A (maps a host name to an IPv4 address), AAAA (maps to an IPv6 address), CNAME (an alias for a host name), MX (the IP address of a mail server), and PTR (allows a host name to be identified from an IP address). These records allow a DNS name server to resolve queries for names and services hosted in the domain into IP addresses. can be created and updated manually (statically), or they can be generated dynamically from information received from client and server computers on the network.

resource records

DNS server designated by a name server record for the domain that holds a complete copy of zone records. The Start of Authority (SOA) record identifies the primary __ that maintains complete resource records for the zone.

authoritative name server

identify authoritative DNS name servers for the zone.

Name server (NS) records

contains the service name and port on which a particular application is hosted. are often used to locate VoIP or media servers. are also an essential part of the infrastructure supporting Microsoft’s Active Directory; they are used by clients to locate domain controllers, for instance.

a Service (SRV) record

A DNS server may have two types of zones:

forward lookup and reverse lookup.

contain the resource records listed previously. For example, given a name record, a _____ returns an IP address; an MX record returns a host record associated with the domain's mail services

forward lookup zones

returns the host name associated with a given IP address. This information is stored in a _______ zone as a pointer (PTR) record.

reverse lookup

A name server can maintain

primary and/or secondary zones:

that the zone records held on the server are editable. A zone can be hosted by multiple primary servers for redundancy. As the zone records are editable on all primaries, changes must be carefully replicated and synchronized. It is critically important to update the serial number for each change.

Primary

means that the server holds a read-only copy of the zone. This is maintained through a process of replication known as a zone transfer from a primary name server. A secondary zone would typically be provided on two or more separate servers to provide fault tolerance and load balancing. Again, the serial number is a critical part of the zone transfer process.

Secondary

Data store on DNS clients and servers holding results of recent queries.

DNS caching

refer to the domains used on the private network only. hese name records should only be available to internal clients

Internal DNS zones

refer to records that Internet clients must be able to access.

External DNS zones

help to mitigate against spoofing and poisoning attacks on DNS servers by providing a validation process for DNS responses. the authoritative server for the zone creates a "package" of resource records (called an RRset) signed with a private key (the Zone Signing Key). When another server requests a secure record exchange, the authoritative server returns the package along with its public key, which can be used to verify the signature. Security protocol that provides authentication of DNS data and upholds DNS data integrity.

DNS Security Extensions (DNSSEC)

The DNS name resolution service that uses TLS to encrypt communications between the client and server to ensure privacy and confidentiality. This uses Transport Layer Security (TLS) to validate the resolver name server's digital certificate. This mitigates the risk of a threat actor using a rogue DNS server to spoof the legitimate one. If the client trusts the certificate, the subsequent DNS traffic will be encrypted. DoT works over TCP port 853.

DNS over transport layer security (DoT)

The DNS name resolution service that uses HTTPS to encrypt communications between the client and server to ensure privacy and confidentiality. This also validates the resolver certificate and encrypts the DNS traffic but does so by encapsulating it within HTTP Secure packets. This uses the HTTPS standard port TCP/443, which completely disguises the fact that the client is making DNS queries. The downside is that the additional HTTP headers add overhead to each query and response.

DNS over hypertext transfer protocol secure (DoH)

What type of information does a root DNS server contain? -Complete information about all domains -Only information about country code domains -Complete information about top-level domain servers -Only information about second-level domains

-Complete information about top-level domain servers Root DNS servers contain complete information about top-level domain servers, enabling the hierarchical and distributed nature of the DNS system. No single server contains complete information about all domains; the DNS is distributed. Root servers contain information about all types of TLDs, not just country codes. Root servers contain information about TLD servers, which in turn know about second-level domains.

What does the Start of Authority (SOA) record identify? -The most frequently visited domain in the zone -The primary authoritative name server for the zone -The secondary name servers in the zone -The dynamic resource records in the zone

-The primary authoritative name server for the zone The SOA record identifies the primary authoritative name server that maintains complete resource records for the zone, including modifications.

What domain is used for reverse DNS querying of IPv6 addresses? -in-addr.arpa -ipv6.arpa -ip6.arpa -reverse.ipv6

-ip6.arpa For IPv6 addresses, reverse DNS queries use the ip6.arpa domain. Each hex character of the IPv6 address is reversed and used as a subdomain in this domain. in-addr.arpa is used for IPv4 addresses, not IPv6.

Can the same domain name be registered within different top-level domains? -Yes, but only if they are in different countries. -No, once a domain name is registered, it cannot be used elsewhere. -Yes, the same domain name can be registered within different TLDs -No, domain names are globally unique and cannot be duplicated.

-Yes, the same domain name can be registered within different TLDs

What does an MX record require to function correctly? -An associated CNAME record -associated A or AAAA record -A priority value of 10 -Encryption

-associated A or AAAA record

What is the significance of the priority value in MX records? -Determines the encryption level -Identifies the email server's IP address -Specifies the preferred server in a list of servers -Stores free-form text

-Specifies the preferred server in a list of servers

What role does a resolver play in DNS? -It hosts zone records for internal and external domains. -It supplies false name resolutions to clients. -It performs recursive queries in response to client requests. -It separates internal from external DNS zones.

-It performs recursive queries in response to client requests.

What is the primary function of external DNS zones? -To facilitate security for DNS management -To facilitate internal clients' access to internal network resources -To provide name resolution services for Internet clients needing to access public services -To perform recursive queries for internal DNS servers

-To provide name resolution services for Internet clients needing to access public services

What is the purpose of a secondary DNS server? -To provide authoritative answers only -To hold a read-only copy of the zone -To edit and update DNS records -To serve as the primary source of DNS records

-To hold a read-only copy of the zone

What is the purpose of using round robin DNS? -To increase DNS security -To decrease DNS lookup times -To distribute network traffic across multiple servers -To create a backup DNS server

-To distribute network traffic across multiple servers Round robin DNS is a technique used to distribute network traffic evenly across multiple servers by configuring multiple A or AAAA records with the same hostname but different IP addresses.

A host can use a variety of methods to resolve a name to an IP address. In very general terms, these will be as follows:

1. Check local name caches. One complication here is that there are different types of cache and separate caches for individual applications, such as web browsers. On Windows, you can use ipconfig /displaydns and ipconfig /flushdns to monitor and clear the system's DNS cache. 2. Check HOSTS. The HOSTS file is a static list of host name to IP address mappings. The local resolver is likely to try to use any HOSTS file mappings first (or the mappings might be cached automatically). The default location under Windows is %SystemRoot%\system32\drivers\etc\, while under Linux it is usually placed in the /etcdirectory. In most cases, HOSTS should not contain any entries (other than the loopback address). Any static entries in HOSTS could be the cause of a name resolution issue. The file can also be used for troubleshooting. 3. Verify DNS records using the nslookup or dig tools. There might be some discrepancy between the records returned by the resolver compared to the records configured on the authoritative DNS server that maintains the zone.

Any text preceded by the __ symbol in a HOSTS file is a comment and will not be processed. To verify a name resolution problem, edit the HOSTS file and place the correct name and IP address record in the file for the test host. When you ping that name, if that is successful, it suggests a name resolution service problem.

Cross-platform command tool for querying DNS resource records.

nslookup command: Host can be either a host name, domain name, FQDN, or IP address. DNSServer is the IP address of a server used to resolve the query; the default DNS server is used if this argument is omitted. Option specifies an nslookup subcommand. For example, the following command queries Google's public DNS server (8.8.8.8) for information about 515support.com's mail records: nslookup -type=mx 515support.com 8.8.8.8

Utility to query a DNS server and return information about a particular domain name or resource record. is a command line tool for querying DNS servers that ships with the BIND DNS server software published by the Internet Systems Consortium (ISC) (isc.org/downloads/bind).

Domain Information Groper (dig)

Which command can be used on Windows to display the FQDN of the local host? -hostname --fqdn -nslookup -type=fqdn -ipconfig /all -resolve-hostname

-ipconfig /all On Windows, the command ipconfig /all is used to display detailed information about the network configuration of the host, including the FQDN (Fully Qualified Domain Name). hostname --fqdn is a command used in Linux to display the FQDN of the host, not Windows. nslookup -type=fqdn is not a valid command for displaying the FQDN of the local host. nslookup is used for querying DNS servers. resolve-hostname is not a valid Windows command for displaying the FQDN of the local host.

How can you direct a dig query to a specific DNS server? -By using the -s option followed by the server's IP address -By placing the DNS server's IP address at the beginning of the command -By using the @ symbol followed by the DNS server's FQDN or IP address -By specifying the DNS server's IP address in the system settings before running dig

-By using the @ symbol followed by the DNS server's FQDN or IP address To direct a dig query to a specific DNS server, you use the @ symbol followed by the server's fully qualified domain name (FQDN) or IP address in the command. There is no -s option in dig for specifying the DNS server. The DNS server's IP address is not placed at the beginning of the command but after the @ symbol. While you can configure your system's default resolver, dig allows you to specify a DNS server directly in the command without altering system settings.

A security protocol that uses certificates for authentication and encryption that provides end-to-end security to protect web communications and other application protocols. This makes these services highly vulnerable to spoofing, eavesdropping, and unauthorized modification. ____ was developed as an IETF standard to solve this issue.

Transport Layer Security (TLS)

TLS works as a layer between the Application and Transport layers of the TCP/IP stack, or, in OSI terms, can sit at the ______ layer depending on how it is used.

Session or Presentation

When sitting on the ____ layer, TLS is used to establish and manage sessions and ensures secure communication.

session

When sitting on the ____ layer, it is used to handle encryption and data formatting.

presentation

To implement TLS

the server is installed with a digital certificate issued by some trusted certificate authority (CA).

The latest versions of TLS can use a mechanism called ____ When this is configured, not even obtaining the server's private key allows decryption of captured packets.

Perfect Forward Secrecy (PFS).

___ enables the synchronization of these time-dependent applications. ____ works over UDP on port 123.

The Network Time Protocol (NTP)

Top-level NTP servers (stratum 1) obtain the Coordinated Universal Time (UTC) via a direct physical link to an accurate clock source, such as an atomic clock accessed over the___

Global Positioning System (GPS)

Client hosts (application servers and workstations) usually obtain the time by using a modified form of the protocol called _____

Simple NTP (SNTP).

Time drift is when a system’s clock begins to deviate from the source clock. NTP can use two methods to deal with time drift:

Slew method Slam method

If the time is off by only a few seconds, NTP adjusts the time a few milliseconds at a time to get it back on track. Slewing is a slower, methodical method of correcting the time, but the risk of problems occurring is much less.

Slew method

If the time is off by more than a few seconds and slewing will take too long, NTP will hard reset the time. While this is a quick and immediate fix, slamming can cause some programs to not function properly.

Slam method

To mitigate risks from unauthorized time sources or manipulation of synchronization data, NTP can be protected using Transport Layer Security (TLS). _____ works over TCP port 4460. ___ servers may also support ports 3443 and 4443, which were specified in early draft versions of the protocol.

Network Time Security (NTS)

Networks supporting industrial processes, 5G cellular data, medical devices, market trading and financial services, or broadcasting use the __________

Precision Time Protocol (PTP).

___ can use layer 2 messaging plus hardware clocks in compatible network adapters and switches to ensure greater levels of accuracy than NTP can support. It uses mechanisms to measure and account for delay.

PTP

PTP uses the following clock types:

Grandmaster clock is the authoritative time source within a PTP domain. Boundary clock is one with interfaces in multiple PTP segments. Ordinary clock is one with a single PTP interface.

When two clocks are connected, one interface has a ___

timeTransmitter role, and the other has a timeReceiver role.

The grandmaster clock's interfaces are always _______

timeTransmitter.

A boundary clock would have the ____ role on its interface with the grandmaster and the timeTransmitter role on other interfaces.

timeReceiver

Ordinary clock interfaces are usually _

timeReceiver.

PTP can be deployed as a layer 3 protocol over IP. What is a limitation of this deployment? -It increases the network bandwidth usage significantly. -It cannot achieve the same accuracy as layer 2 implementations. -It requires additional satellite synchronization -It is incompatible with most network adapters.

-It cannot achieve the same accuracy as layer 2 implementations.

What role does a grandmaster clock play in a PTP domain? -It acts as the primary backup time source. -It is the authoritative time source. -It synchronizes directly with satellite clocks. -It serves as the primary network router.

-It is the authoritative time source.

he ISP allocates your own private server computer. This type of service is usually unmanaged (or management comes at additional cost).

Dedicated server

The ISP allocates you a virtual machine (VM) on a physical server. This is isolated from other customer instances by the hypervisor.

Virtual private server (VPS)

Your website is run on a cloud over several hardware computers, allowing more scalability if demand patterns change.

Cloud hosting

Your website is hosted within a private directory on a shared server. Performance can be severely affected by other sites hosted on the server, because all the sites are competing for the same resources.

Shared hosting

The main web server platforms are _______

Apache, Microsoft Internet Information Services (IIS), and NGINX.

Data transfer can operate in one of two modes:

active or passive.

In________ the client sends a PORT command specifying its chosen data connection port number (typically n+1), and the server opens the data connection between the chosen client port and TCP port 20 on the server

active mode,

In _____ , the client opens a data port (again, typically n+1) and sends the PASV command to the server's control port. The server then opens a random high port number and sends it to the client using the PORT command. The client then initiates the connection between the two ports.

passive mode

Active FTP poses a configuration problem for some firewalls, as the server is initiating the inbound connection, but there is no way of predicting which port number will be utilized. However, not all FTP servers and clients can operate in passive mode. If this is the case, check that firewalls installed between the client and server can support _____

active stateful inspection firewalls (SPIs).

addresses the privacy and integrity issues of FTP by encrypting the authentication and data transfer between client and server. In ____ , a secure link is created between the client and server using Secure Shell (SSH) over TCP port 22.

Secure FTP (SFTP)

Use the AUTH TLS command to upgrade an insecure connection established over TCP port 21 to a secure one. This protects authentication credentials. The data connection for the actual file transfers can also be encrypted (using the PROT command).

Explicit TLS (FTPES)

Negotiate an SSL/TLS tunnel before the exchange of any FTP commands. This mode uses TCP port 990 for the control connection.

Implicit TLS (FTPS)

On a Windows network, the File/Print Sharing Service is provided by the______. allows a host to share its directories/files and printers to make them available for other machines to use.

Server Message Block (SMB) protocol.

It is important that any traffic on the NetBIOS port ranges ___ be blocked by a perimeter firewall.

(137–139) and port 445

_____ supports message encryption, which can be enabled on a file server or on a per-share basis. An encrypted share can only be accessed by an ___ or higher client.

SMB version 3

______ appliance is a device dedicated to performing a file server role. most devices support some level of Redundant Array of Independent Disks (RAID)

A network attached storage (NAS)

The main drawback of NAS is that it _______ .Adding a NAS to an already overwhelmed network increases network traffic and may result in unacceptable delays for users and applications to access data.

shares bandwidth with other network applications.

_______ store information in tables with rows (records) and columns (fields). Relationships between data fields in different tables is created using key fields that uniquely identify each record. are operated using Structured Query Language (SQL)

Relational databases; All the RDBMS platforms also provide support for NoSQL datastores. There are also dedicated NoSQL platforms, such as MongoDB, Amazon DynamoDB, and CouchDB

Oracle's remote data access protocol SQL*Net uses ____

TCP/1521.

Microsoft SQL Server uses ___

TCP/1433.

The open source MySQL platform uses ___. The MariaDB platform forked from MySQL uses the same port.

TCP/3306

The open source PostgreSQL platform uses ___

TCP/5432.

The other type of database is referred to as _____. can use a variety of formats, such as key-value pairs or wide columns (where rows do not have to have the same set of fields). are typically accessed using an application programming interface (API) over HTTPS.

NoSQL or "not only SQL.

In the context of FTP over Explicit TLS (FTPES), which command is used to encrypt the data connection for actual file transfers after upgrading an unsecure connection to a secure one? -AUTH TLS -PROT -PASV -SSH

-PROT The PROT command is used in FTP over Explicit TLS (FTPES) to encrypt the data connection for actual file transfers after an unsecure connection has been upgraded to a secure one using the AUTH TLS command. This ensures that not only the authentication credentials are protected but also the data being transferred. AUTH TLS is incorrect because it is the command used to upgrade an unsecure connection to a secure one, not for encrypting the data connection for file transfers. PASV is incorrect as it is a command used to request passive mode, which is related to how the connection is established between the client and server for data transfer, but it does not encrypt the data. SSH is incorrect because it is a protocol used by SFTP for secure file transfers, not a command within the FTP or FTPES protocols

Why is FTPES usually preferred over FTPS? -FTPES is faster than FTPS. -FTPES uses stronger encryption than FTPS. -FTPES is easier to configure with firewalls. -FTPES supports larger file transfer

-FTPES is easier to configure with firewalls. FTPES is usually preferred over FTPS because it is easier to configure when there are firewalls between the client and server. FTPES upgrades an unsecure connection to a secure one, making it more firewall-friendly.

Which operating system is typically used by NAS appliances? -Windows -MacOS -Linux-based -iOS

-Linux-based NAS appliances typically use a bespoke operating system that is based on Linux. This allows for flexibility and stability in managing file storage.

What feature does version 2 of HTTP add to enhance its functionality? -Increased encryption -More state-preserving features -Faster email transmission -Improved FTP support

-More state-preserving features

What does the term "stateless protocol" imply about HTTP? -The server retains information about client requests indefinitely. -The server requires authentication for every request. -Each request from a client to a server is treated as a new request. -The server stores data in a centralized database for all requests.

-Each request from a client to a server is treated as a new request.

The SMTP server of the sender discovers the IP address of the recipient SMTP server by using the domain name part of the recipient's email address.

The SMTP servers for the domain are registered in DNS using mail exchange (MX) and host (A/AAAA) records.

If there is a communication problem, the SMTP server retries at regular intervals before timing out and returning a ___ to the sender.

non-delivery report (NDR)

This is a command that upgrades an existing insecure connection to use TLS. This is also referred to as explicit TLS or opportunistic TLS. This method is now deprecated but does remain in widespread use.

STARTTLS

This establishes the secure connection before any SMTP commands (HELO, for instance) are exchanged. Implicit TLS is now considered the preferred method.

Implicit TLS

Used for message relay between SMTP servers, or message transfer agents (MTAs). If security is required and supported by both servers, the STARTTLS command can be used to set up the secure connection.

Port 25

Used for SMTP Submission with implicit TLS. SMTP Submission is a subset of SMTP that allows the message submission agent (MSA) part of a mail client to transfer messages for delivery by a server.

Port 465

Used for SMTP Submission with explicit TLS. Servers configured to support port 587 should use STARTTLS and require authentication before message submission.

Port 587

is the most widely used mail retrieval protocol. supports permanent connections to a server and connecting multiple clients to the same mailbox simultaneously. It also allows a client to manage the mailbox on the server (to organize messages in folders and to control when they are deleted, for instance) and to create multiple mailboxes.

Internet Message Access Protocol (IMAP); A client connects to an IMAP server over TCP port 143, but this port is insecure. Connection security can be established using a TLS. The default port for IMAPs is TCP/993.

is an automated switchboard providing a single connection point for an organization's voice lines. Routes incoming calls to direct dial numbers and provides facilities such as voice mail, Automatic Call Distribution (ACD), and Interactive Voice Response (IVR). A PBX can also be implemented as software (virtual PBX). An IP-based PBX or hybrid PBX allows use of VoIP.

A private branch exchange (PBX)

establishes connections between local VoIP endpoints with data transmitted over the local Ethernet network.can also route incoming and outgoing calls from and to external networks. This might involve calls between internal and external VoIP endpoints, or with voice telephone network callers and receivers. will also support features such as music on hold and voicemail.

VoIP PBX

Used to establish, manage, and disestablish communications sessions. They handle tasks such as user discovery (locating a user on the network), availability advertising (whether a user is prepared to receive calls), negotiating session parameters (such as use of audio/video), and session management and termination.

Session control

Handles the delivery of the actual video or voice information.

Data transport

provides information about the connection to a QoS system, which in turn ensures that voice or video communications are free from problems, such as dropped packets, delay, or jitter. Systems that differentiate data passing over the network that can reserve bandwidth for particular applications. A system that cannot guarantee a level of available bandwidth is often described as Class of Service (CoS)

Quality of service (QoS)

is one of the most widely used session control protocols. endpoints are the end user devices (also known as user agents), such as IP-enabled handsets or client and server web conference software. Each device, conference, or telephony user is assigned a unique ___ address known as a ___ Uniform Resource Identifier. Application protocol used to establish, disestablish, and manage VoIP and conferencing communications sessions. It handles user discovery (locating a user on the network), availability advertising (whether a user is prepared to receive calls), negotiating session parameters (such as use of audio/ video), and session management and termination.

The Session Initiation Protocol (SIP); typically runs over UDP or TCP ports 5060 (insecured) and 5061 (SIP-TLS).

enables the delivery of a stream of media data via UDP, while implementing some of the reliability features usually associated with TCP communications. works closely with the RTP Control Protocol (RTCP).

Real-time Transport Protocol (RTP)

use VLAN tagging to ensure that the SIP control and RTP media protocols can be segregated from normal data traffic. In a typical voice VLAN configuration, the LAN port on the handset is connected to the wall port, while the PC is connected to the PC port on the handset. The two devices share the same physical link, but data traffic is distinguished from voice traffic by configuring separate VLAN IDs.

VoIP phones

What is the purpose of using a tel: URI scheme in SIP systems? -To dial a landline or cell phone -To encrypt voice communications -To assign unique identifiers to devices -To compress audio data for transmission

-To dial a landline or cell phone

In a Windows environment, which protocol is typically used to access Microsoft Exchange mailboxes? -IMAP -SMTP -MAPI -HTTPS

-MAPI; In a Windows environment, the proprietary Messaging Application Programming Interface (MAPI) protocol is typically used to access Microsoft Exchange mailboxes. MAPI allows for integration with Microsoft products and provides functionalities specific to Exchange. IMAP is a general email access protocol and not specific to Microsoft Exchange. SMTP is used for sending emails, not for accessing mailboxes.

What is one of the primary purposes of the Internet Message Access Protocol (IMAP)? -To encrypt email messages -To deliver email to hosts that are permanently available -To manage a mailbox on a server -To connect to web servers

-To manage a mailbox on a server

addresses large-scale network outage incidents. These will typically be incidents that threaten the performance or security of a whole site

A disaster recovery plan (DRP)

A DRP should accomplish the following:

Identify scenarios for natural and non-natural disasters and options for protecting systems. Identify tasks, resources, and responsibilities for responding to a disaster. Disaster recovery focuses on tasks such as switching services to failover systems or sites and restoring systems and data from backups. Train staff in the disaster planning procedures and how to react well to adverse events.

Tabletop exercises

involve performing simulations of failovers. This tests that services can be restored using backup configurations and data. can also test metrics for recovery time. They can also reveal any unexpected problems, such as dependencies between services not being met during the failover process.

Validation tests

is a collection of processes and resources that enable an organization to maintain normal business operations in the face of some adverse event.

business continuity plan (BCP) or continuity of operations plan (COOP)

Continuity planning activity focuses on the functions performed by a business or other organization:

Business impact analysis (BIA) identifies mission essential and primary business functions and the risks that would arise if the organization cannot fulfill them. IT contingency planning (ITCP) or IT service continuity planning (ITSCP) ensures that these functions are supported by resilient IT systems, working to identify and mitigate all single points of failure from a process or function.

One of the key properties of a resilient system is ________

availability. Availability is the percentage of time that the system is online, measured over a certain period, typically one year.

Availability: 99.9999% 99.999% 99.99% 99.9% 99%

Annual MTD (hh:mm:ss) 00:00:32 00:05:15 00:52:34 08:45:36 87:36:00

This is the period following a disaster that an individual IT system may remain offline. This represents the maximum amount of time allowed to identify that there is a problem and then perform recovery (restore from backup or switch in an alternative system, for instance).

Recovery time objective (RTO).

Following systems recovery, there may be additional work to reintegrate different systems, restore data from backups, test overall functionality, and brief system users on any changes or different working practices so that the business function is again fully supported.

Work recovery time (WRT); RTO+WRT must not exceed MTD!

This is the amount of data loss that a system can sustain, measured in time units. That is, if a database is destroyed by a virus, an RPO of 24 hours means that the data can be recovered from a backup copy to a point not more than 24 hours before the database was infected.

Recovery point objective (RPO)

can failover almost immediately. It generally means that the site is already within the organization's ownership and is ready to deploy. A fully configured alternate processing site that can be brought online either instantly or very quickly after a disaster.

A hot site

could be similar but with the requirement that the latest dataset will need to be loaded. An alternate processing location that is dormant or performs noncritical functions under normal conditions, but which can be rapidly converted to a key operations site if needed.

A warm site

takes longer to set up. A cold site may be an empty building with a lease agreement in place to install whatever equipment is required when necessary. A predetermined alternate location where a network can be rebuilt after a disaster.

A cold site

represents the expected lifetime of a product. The calculation for ____ is the total operational time divided by the number of failures. For example, if you have 10 appliances that run for 50 hours and two of them fail, the ____ is 250 hours/failure (10*50)/2.

Mean time between failures (MTBF)

expresses a similar metric for non-repairable components. For example, a hard drive may be described with an ___, while a server, which could be repaired by replacing the hard drive, would be described with an ___. The calculation for ___ is the total operational time divided by the number of devices. For example, say two drives were installed in the server in a RAID array. One had failed after 10 years, but had never been replaced, and the second failed after 14 years, bringing down the array and the server. The ___ of the drives is (10+14)/2 = 12 years.

Mean time to failure (MTTF)

is a measure of the time taken to correct a fault so that the system is restored to full operation. This can also be described as mean time to replace or recover. ____is calculated as the total number of hours of unplanned maintenance divided by the number of failure incidents. This average value can be used to estimate whether a recovery time objective (RTO) is achievable.

Mean time to repair (MTTRr)

Components such as power supplies, network cards, drives (RAID), and cooling fans provide protection against hardware failures. A fully redundant server configuration is configured with multiple components for each function (power, networking, and storage). A faulty component will then automatically failover to the working one.

Redundant spares

If there are multiple paths between switches and routers, these devices can automatically failover to a working path if a cable or network port is damaged.

Network links

Provide power protection in the event of complete power failure (blackout) and other types of building power issues.

Uninterruptible power supplies (UPSs) and standby power supplies

Provide protection for data.

Backup strategies

A means of ensuring that the total failure of a server does not disrupt services generally.

Cluster services

can be deployed as a hardware appliance or software instance to distribute client requests across server nodes in a farm or pool. A type of switch, router, or software that distributes client requests between different resources, such as communications links or similarly configured servers. This provides fault tolerance and improves throughput.

load balancer

Basic load balancers make forwarding decisions on IP address and TCP/UDP header values, working at the Transport layer of the OSI model.

Layer 4 switch

As web applications have become more complex, modern load balancers need to be able to make forwarding decisions based on application-level data, such as a request for a particular URL or data types like video or audio streaming. This requires more complex logic, but the processing power of modern appliances is sufficient to deal with this.

Layer 7 switch (content switch)

allows multiple redundant processing nodes that share data with one another to accept connections. If one of the nodes in the ____ stops working, connections can failover to a working node. To clients, the _____ appears to be a single server. A load balancing technique where a group of servers are configured as a unit and work together to provide network services.

clustering

Unlike load balancing with a single appliance, the public IP used to access the service is shared between the two instances in the cluster. An IP address that is assigned to multiple domain names or servers, rather than to a single NIC port, to support load balancing.

This is referred to as a virtual IP or shared or floating address.

In the previous example, if one node is active, the other is passive. This is referred to as _______. The major advantage of _____ configurations is that performance is not adversely affected during failover. However, the hardware and operating system costs might be higher because of the unused capacity.

active-passive clustering

______ means that both nodes are processing connections concurrently. This allows the administrator to use the maximum capacity from the available hardware while all nodes are functional. In the event of a failover, the workload of the failed node is immediately and transparently shifted onto the remaining node. At this time, the workload on the remaining nodes is higher, and performance is degraded.

An active-active cluster

Provisioning failover routers to serve as the default gateway for a subnet. Also referred to as Virtual Router Redundancy Protocol (VRRP) and Hot Standby Router Protocol (HSRP).

first hop redundancy protocols (FHRP)

allows multiple physical routers to serve as a single default gateway for a subnet. To do this, each router must have an interface connected to the subnet, with its own unique MAC address and IP address. In addition, they also need to be configured to share a common virtual IP address and a common MAC address. The group of routers configured in this way is known as a standby group

The proprietary Hot Standby Router Protocol (HSRP) developed by Cisco

is similar to HSRP, with the differences mainly being in terminology and packet formats. In ____, the active router is known as the master, and all other routers in the group are known as backup routers. There is no specific standby router; instead, all backup routers monitor the status of the master, and in the event of a failure, a new master router is selected from the available backup routers based on priority.

The open standard protocol Virtual Router Redundancy Protocol (VRRP); One advantage of VRRP over HSRP is that it does not require each router interface to be assigned a unique IP address. It is possible to configure VRRP routers to use only the virtual IP address. This can be useful on subnets where address space utilization is high.

Which FHRP is designed to work in an active/standby configuration? -GLBP -VRRP -HSRP -OSPF

-HSRP HSRP (Hot Standby Router Protocol) is designed to work in an active/standby configuration, where one router is active and the others are standby routers ready to take over if the active router fails. GLBP is designed for load balancing, allowing for an active/active configuration. VRRP works in an active/standby configuration but is not the only protocol designed for this purpose. OSPF is a routing protocol, not a FHRP.

means identifying and documenting all the infrastructure and devices installed at a site. A process through which an organization's information systems components are kept in a controlled state that meets the organization's requirements, including those for security and compliance.

Configuration management

Configuration management is implemented using the following elements:

Service assets are things, processes, or people that contribute to the delivery of an IT service. Each asset must be identified by some sort of label. A configuration item (CI) is an asset that requires specific management procedures for it to be used to deliver the service. CIs are defined by their attributes. A configuration management system (CMS) is the tools and databases that collect, store, manage, update, and present information about CIs. A small network might capture this information in spreadsheets and diagrams; there are dedicated applications for enterprise CMSs.

baseline documents the approved or authorized state of a CI. This allows auditing processes to detect unexpected or unauthorized change. A baseline can be a ____ (the ACL applied to a firewall, for instance) or a performance baseline (such as the throughput achieved by the firewall). A baseline configuration is sometimes referred to as a golden configuration.

configuration baseline

______ is the state of a CI as used within a working network. This might deviate temporarily or persistently from the baseline. This deviation is often referred to as configuration drift.

The production configuration

____ is a copy of the production configuration made at a particular time. As the production configuration might have drifted, a given backup might also not match the golden configuration.

A backup configuration

An appliance may also support two backup modes:

State/bare metal Configuration file

A snapshot-type image of the whole system. This can be redeployed to any device of the same make and model as a system restore.

State/bare metal

A copy of the configuration data in a structured format, such as Extensible Markup Language (XML). This file can be used in a two-stage restore where the OS or firmware image is applied first (or a new appliance provisioned) and then the configuration is restored by importing the backup file.

Configuration file

minimizes the risk of configuration drift and unscheduled downtime by implementing changes in a planned and controlled way. The process through which changes to the configuration of information systems are implemented as part of the organization's overall configuration management efforts.

A documented change management process

The need to change is often described either as ___, where the change is forced on the organization, or as ___, where the need for change is initiated internally.

reactive; proactive

In a formal change management process, the need for change and the procedure for implementing the change is captured in a ______document.

Request for Change (RFC)

Major or significant changes might be managed as a separate project and require approval through a _____

Change Advisory Board (CAB).

In a fully documented environment, each task will be governed by a _______. sets out the principal goals and considerations, such as budget, security, or customer contact standards, for performing a task and identifies lines of responsibility and authorization for performing it.

standard operating procedure (SOP).

_____ can be configured to store as much or as little information as is deemed necessary, though typical data would be type, model, serial number, asset ID, location, user(s), value, and service information.

An asset management database

Method to track the life cycle phases of one or more hardware, service, or software systems in your organization.

system life-cycle management.

refers to the managed acquisition, deployment, use, and decommissioning of assets.

A system life-cycle

When a manufacturer discontinues sales of a product, it enters an ______ phase in which support and availability of spares and updates become more limited. is sometimes referred to as End of Sale (EOS).

end of life (EOL)

An ________ system is one that is no longer supported by its developer or vendor. products no longer receive security updates and so represent a critical vulnerability if any remain in active use. can be referred to as End of Service Life (EOSL).

end of support (EOS)

is publicly-released collection of updates. These can include fixes and feature changes/improvements.

A patch

is a code change that addresses a specific issue that can be applied without incurring downtime

A hotfix

is one that requires the software or host to be restarted.

a coldfix

The term ___ is usually reserved for issues that are caught during product development and testing.

bugfix

Updating firmware is known as ___

flashing the chip

In asset management, the policies and procedures that govern the removal of devices and software from production networks, and their subsequent disposal through sale, donation, or as waste.

decommissioning

Leftover information on a storage medium even after basic attempts have been made to remove that data.

data remnants

Media ____ refers to erasing data from HDD, SSD, and tape media before they are disposed of or put to a different use.

sanitization

The standard method of sanitizing an HDD is called _____. The basic _____ is called zero filling, which just sets each bit to zero.

overwriting; A more secure method is to overwrite the content with one pass of all zeros, then a pass of all ones, and then one or more additional passes in a pseudorandom pattern.

Method of sanitizing a drive using the ATA command set. This command can be invoked using a drive/array utility or the hdparm Linux utility. On HDDs, this performs a single pass of zero-filling.

a Secure Erase (SE)

Media sanitization command built into HDDs and SSDs that are self-encrypting that works by erasing the encryption key, leaving remnants unrecoverable.

Instant Secure Erase (ISE)

_______ shows how wires are routed through conduit from telecommunications closets to work areas.

A cable map or floor plan

_____ identifies how wall ports located in work areas are connected back to ports in a distribution frame or patch panel and then from the patch panel ports to the switch ports.

A port location diagram

____ should also show how power outlets on the uninterruptible power supply (UPS) connect to appliance power supply units (PSUs).

Rack diagrams

_____ shows detailed information about the termination of twisted pairs in an RJ45 jack or Insulation Displacement Connector (IDC). You might also use a w_____ to document how fiber optic strands are terminated.

A wiring diagram (or pin-out)

______ records the position of each appliance in the rack. You can obtain stencils that represent vendor equipment from their websites or a collection such as visiocafe.com.ou can record key configuration information for each item using labels. As well as service tags, port IDs, and links, you should identify which power outlets on the uninterruptible power supply (UPS) connect to which appliance power supply units (PSU)s.

A rack diagram

In contrast to floor plans drawn to an accurate scale, _____ is a simplified or abstracted representation of a system. can show the general placement of equipment and telecommunications rooms, plus device and port IDs, without trying to capture the exact position or relative size of any one element. can also be used to represent the logical structure of the network in terms of zones and subnets.

a schematic

Asset IDs, cable links, and wall/patch panel/switch port IDs. You can use color-coding or line styles to represent the cable type (make sure the diagram has an accompanying legend to explain your scheme).

PHY (Physical layer)

Shows interconnections between switches and routers, with asset IDs (or the management IP of the appliance), interface IDs, and link-layer protocol and bandwidth. You could use line thickness to represent bandwidth, but for clarity it is a good idea to use labels as well.

Data Link (layer 2)

IP addresses of router interfaces (plus any other static IP assignments) and firewalls, plus links showing the IP network ID and netmask, VLAN ID (if used), and DHCP scopes.

Logical (IP/layer 3)

Server instances and TCP/UDP ports in use. You might also include configuration information and performance baselines (CPU, memory, storage, and network utilization) at this level.

Application

software provides better automation and oversight than these manually compiled lists. Software consolidating management of multiple DHCP and DNS services to provide oversight into IP address allocation across an enterprise network.

IP address management (IPAM)

The core function of ___ is to scan DHCP and DNS servers and log IP address usage to a database. Most suites can scan IP address ranges to detect use of statically assigned addresses. may also be able to scan the hardware associated with an IP address (device fingerprinting) and save the information to an asset inventory. can often be used to manage and reconfigure DHCP and DNS servers remotely. The software also provides analysis tools to allow administrators to identify overloaded DHCP scopes or to make more valuable public IP addresses available.

IPAM

is a contractual agreement setting out the detailed terms under which an ongoing service is provided. This can be a legally binding formal contract between supplier and customer businesses or a less formal agreement. define aspects of the service, such as scope, performance characteristics, and responsibilities that are agreed upon between the service provider and the customer.

A service level agreement (SLA)

is the legal basis for protecting information assets. It defines what uses of sensitive data are permitted, what storage and distribution restrictions must be enforced, and what penalties will be incurred by breaches of the agreement.

A nondisclosure agreement (NDA)

is a preliminary or exploratory agreement to express an intent to work together. are usually intended to be relatively informal and not to act as binding contract. almost always have clauses stating that the parties shall respect confidentiality.

A memorandum of understanding (MOU)

What historical method might IT departments have used for tracking IP usage? -Cloud-based databases -Static files -Physical logbooks -Oral tradition

-Static files

Processes and tools that facilitate identification of hosts present on a network or subnet. Windows firewall configurations makes a host visible to network browsers. network discovery; This is usually described as _____

network discovery or visibility.

is necessary to confirm that servers and clients are in the correct VLANs or subnets and to try to identify rogue or unauthorized machines.

Visibility

is a tool that performs host discovery and can establish the overall logical topology of the network in terms of subnets and routers. Utility that can probe a network to detect which IP addresses are in use by hosts.

An IP scanner

____is a basic type of IP scanning that only attempts to determine whether an IP address is "up."

Host discovery

can also report more detailed information about interface statistics, while as noted above, enterprise suites can query local DHCP and DNS servers for information.

Some suites use Simple Network Management Protocol (SNMP) queries

is widely used for IP scanning, both as an auditing and as a penetration testing tool. The tool is open-source software with packages for most versions of Windows, Linux, and macOS. It can be operated with a command line or via a GUI (Zenmap). A highly adaptable, open-source network scanner used primarily to scan hosts and ports to locate services and detect vulnerabilites.

The Nmap Security Scanner (nmap.org)

___ tries to identify which TCP and UDP ports are listening.

A port scanner

This is a fast technique (also referred to as half-open scanning) as the scanning host requests a connection without acknowledging it. The target's response to the scan's SYN packet identifies the port state.

TCP SYN (-sS)

A half-open scan requires Nmap to have privileged access to the network driver so that it can craft packets. If privileged access is not available, Nmap must use the OS to attempt a full TCP connection. This type of scan is less stealthy.

TCP connect (-sT)

Scan UDP ports. As these do not use ACKs, Nmap needs to wait for a response or timeout to determine the port state, so UDP scanning can take a long time. A UDP scan can be combined with a TCP scan.

UDP scans (-sU)

By default, Nmap scans 1,000 commonly used ports. Use the -p argument to specify a port range. You can also use --top-ports n, where n is the number of commonly used ports to scan. The frequency statistics for determining how commonly a port is used are stored in the nmap-services configuration file.

Port range (-p)

runs by default on all Cisco switch, router, and access point hardware. It uses Data Link layer multicast messaging to send status announcements over local interfaces every 60 seconds. Proprietary protocol used by Cisco network appliances to discover layer 2 adjacent devices or neighbors. uses the multicast address 01:00:0c:cc:cc:cc. Each device keeps a cache table of the data compiled from announcements it has received.

Cisco Discovery Protocol (CDP)

reports information from the CDP cache. CDP can report device ID/host name, IOS version, interface addresses and statistics, VLAN information, and Power over Ethernet usage.

The command show cdp neighbors

is a standards-based approach that offers similar functionality to CDP. ____ uses the multicast address 01:80:c2:00:00:0e. It sends announcements every 30 seconds, by default.

The IEEE Link Layer Discovery Protocol (LLDP)

This is the rated speed of all the interfaces available to the device, measured in Mbps or Gbps. For wired Ethernet links, this will not usually vary, but the bandwidth of WAN and wireless links can change over time.

Bandwidth

This is the actual amount of data transferred. Utilization expresses this as a percentage of the bandwidth, while throughput is the amount of data transferred per unit of time.

Utilization/throughput

Devices such as switches and routers perform a lot of processing. If CPU and/or system memory utilization (measured as a percentage) is consistently very high, an upgrade might be required. High CPU utilization can also indicate a problem with network traffic.

CPU and memory

Some network devices require persistent storage (typically, one or more flash drives) to keep configuration information and logs. Storage is measured in MB or GB. If the device runs out of storage space, it could cause serious errors. Servers also depend on fast input/output (I/O) to run applications efficiently.

Storage

establish the level of resource utilization at a point in time, such as when the system was first installed. This provides a comparison to measure system responsiveness later. Values for resource utilization that assess the performance or stability of a service based on historical information or vendor guidance.

Baseline metrics

triggers an alert or alarm if a host or service experiences an outage or other unscheduled downtime. These tools are also referred to as heartbeat monitors or uptime monitors.

An availability monitor

When you are troubleshooting unresponsive service issues, they will usually manifest with multiple clients being unable to connect. There can be any number of underlying causes, but consider some of the following:

The application or OS hosting the service has crashed (or there is a hardware or power problem). The server hosting the service is overloaded (high CPU/memory/disk I/O utilization/disk space utilization). Try throttling client connections until the server resources can be upgraded. There is congestion in the network, either at the client or server end (or both). Use ping or traceroute to check the latency experienced over the link and compare to a network performance baseline. Again, throttling connections or bandwidth may help to ease the congestion until higher bandwidth links can be provisioned. A broadcast storm is causing loss of network bandwidth. Switching loops causes broadcast and unknown unicast frames to circulate the network perpetually, as each switch repeatedly floods each frame. A broadcast storm may quickly consume all link bandwidth and crash network appliances (check for excessive CPU utilization on switches and hosts). The Spanning Tree Protocol (STP) is supposed to prevent such loops, but this can fail if STP communications between switches do not work correctly, either because of a fault in cabling or a port/transceiver or because of a misconfiguration. Ports can also be configured with storm control. This will start to drop broadcasts and unknown unicasts if they reach a certain level. Network congestion or high host CPU/memory utilization may also be a sign that the service is being subject to a denial of service (DoS) attack. Look for unusual access patterns (for example, use GeoIP to graph source IP addresses by country and compare to baseline access patterns).

is a template for the state that a given device should be in.

The baseline or golden configuration

is the state that the device is actually in. Also, a device could have a running configuration that is different from its startup configuration.

he production configuration

is a point-in-time copy of a running or startup configuration.

A backup configuration

generates logs, alerts, or alarms when there is a change to a device's production configuration. Some tools may be capable of identifying line-by-line differences between production and baseline configurations. Processes and tools that facilitate reporting and alerting when a host or app's configuration deviates from a baseline or golden configuration.

A configuration monitor

What is the purpose of using the -sV or -A switch with Nmap? -To increase the speed of the scan -To disable logging of the scan results -To probe for software versions on each port -To limit the scan to the local network only

-To probe for software versions on each port

Which Nmap scan type is less stealthy due to its use of the operating system to attempt a full TCP connection? -TCP SYN (-sS) -TCP connect (-sT) -UDP scans (-sU) -Port range (-p)

-TCP connect (-sT)

What should you consider doing if a server hosting a service is overloaded? -Decrease the server's memory. -Throttle client connections. -Increase network congestion. -Disable the Spanning Tree Protocol (STP).

-Throttle client connections.

What does an availability monitor check for in an HTTP service to confirm availability? -A 404 status code -A 200 status code -A 500 status code -A 302 status code

-A 200 status code A 200 status code indicates that an HTTP request has succeeded, which is what an availability monitor looks for to confirm that a service is available. A 404 status code indicates that the requested resource could not be found, which would suggest unavailability. A 500 status code indicates an internal server error, also suggesting a problem with availability. A 302 status code indicates a temporary redirection, not necessarily that the service is available.

is a widely used framework for remote management and monitoring of servers and network appliances. consists of agents and a monitoring system.

The Simple Network Management Protocol (SNMP)

is a process (software or firmware) running on a switch, router, server, or other SNMP-compatible network device.

The agent

A device running an SNMP agent is referred to as a

managed device.

The agent maintains a data store called a ____ that holds variables relating to the activity of the device, such as the number of frames per second handled by a switch.

management information base (MIB)

Each parameter stored in a MIB is referred to by a numeric ____. are stored within a tree structure.

Object Identifier (OID).

acts as a rudimentary type of password.

The community string; An agent can pass information only to management systems configured with the same community string.

There are usually two community strings;

one for read-only access and one for read-write access (or privileged mode).

is management software that provides a location from which you can oversee network activity. The monitor polls agents at regular intervals for information from their MIBs and displays the information for review. It also displays any trap operations as alerts for the network administrator to assess and act upon as necessary.

An SNMP monitor

The monitor can retrieve information from a device in two main ways:

Get Trap

The software queries the agent for a single OID. This command is used by the monitor to perform regular polling (obtaining information from devices at defined intervals).

Get

The agent informs the monitor of a notable event, such as port failure. The threshold for triggering traps can be set for each value.

Trap

The monitor can be used to change certain variables using the

Set command

Device queries take place over ____; traps are communicated over ____.

UDP port 161; UDP port 162

This protocol version has no support for robust authentication or encryption.

Many networks run SNMP v2c.

When using SNMP v2c, apply the following guidelines:

SNMP v2c community strings are sent in plaintext and should not be transmitted over the network if there is any risk of interception. Use difficult-to-guess community strings; never leave the community string blank or set it to the default. Use access control lists to restrict management operations to known hosts (that is, restrict to one or two host IP addresses).

supports encryption and strong user-based authentication. Instead of community strings, the agent is configured with a list of usernames and access permissions. When authentication is required, the SNMP message is signed with a hash of the user's passphrase. The agent can verify the signature and authenticate the user using its own record of the passphrase.

SNMP v3

are one of the most valuable sources of performance, troubleshooting, and security auditing information.

Network device logs

consists of metadata, such as the date and time, category, and event ID, plus a description and contents of error or informational output.

A single logged event

records startup events plus subsequent changes to the configuration at an OS level. This will certainly include kernel processes and drivers but could also include core services.

A system log

records data for a single specific service, such as DNS, HTTP, or a database. Note that a complex application could write to multiple log files. For example, the Apache web server logs errors to one file and access attempts to another.

an application log

records use of authentication and authorization privileges. It will generally record success/fail type events. might also be described as an access log or security log. might be performed at an OS level and at a per-application level.

An audit log

record metrics for compute, storage, and network resources over a defined period.

Performance and traffic logs

receives event messages forwarded from numerous devices to a single storage location. As well as collecting logs, the system can be configured to run one or more status and alerting dashboards.

A log collector

is an example of a protocol and supporting software that facilitates log collection. It has become a de facto standard for logging events from distributed systems. Application protocol and event-logging format enabling different appliances and software applications to transmit logs or event records to a central server. Syslog works over UDP port 514 by default. provides an open format for event data.

Syslog

comprises a PRI code, a header containing a timestamp and host name, and a message part. The PRI code is calculated from the facility and a severity level. The message part contains a tag showing the source process plus content. The format of the content is application dependent.

A syslog message

The system is unusable (kernel panic).

Code 0 level emergency

A fault requiring immediate remediation has occurred.

Code 1 level alert

A fault that will require immediate remediation is likely to develop.

Code 2 level critical

A nonurgent fault has developed.

code 3 level error

A nonurgent fault is likely to develop.

code 4 level warning

A state that could potentially lead to an error condition has developed.

code 5 level notice

A normal but reportable event has occurred.

code 6 level informational

Verbose status conditions used during development and testing

code 7 level debug

configured on each host determines the maximum level at which events are recorded or forwarded. For example, if the logging level for remote forwarding is set to 4, events that are level 5, 6, or 7 are not forwarded. Threshold for storing or forwarding an event message based on its severity index or value. Also referred to as the severity level.

The logging level

refers to normalizing data from different sources so that it is consistent and searchable. can also condense repetitive, individual events to a summary event that counts the number of instances.

log aggregation

is designed to integrate network and security monitoring through automated collection, aggregation, and analysis of log data. A solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications. The core function of a ____ tool is to aggregate logs from multiple sources. In addition to logs from Windows and Linux-based hosts, this could include devices such as switches, routers, firewalls, intrusion detection sensors, vulnerability scanners, malware scanners, and databases.

Security Information and Event Management (SIEM)

What does log aggregation in the context of SIEM refer to? -The physical collection of log files from different devices -The process of deleting outdated log files to free up storage space -Normalizing data from different sources to make it consistent -Encrypting log files for secure storage

-Normalizing data from different sources to make it consistent

What is an automated event management system configured to generate? -Detailed reports for every event -Some sort of alert - backup of the logging system -A list of all devices on the network

-Some sort of alert

allows inspection of traffic received by a host or passing over a network link. depends on a packet sniffer

A protocol analyzer

captures frames moving over the network medium. A monitor that records (or "sniffs") data from frames as they pass over network media, using methods such as a mirror port or TAP device.

a packet sniffer

There are three main options for connecting a sniffer to the appropriate point in the network:

SPAN (switched port analyzer)/port mirroring Passive test access point (TAP) Active TAP

This means that the sensor is attached to a specially configured port on the switch that receives copies of frames addressed to nominated access ports (or all the other ports). This method is not completely reliable. Frames with errors will not be mirrored, and frames may be dropped under heavy load. Copying ingress and/or egress communications from one or more switch ports to another port. This is used to monitor communications passing over the switch.

SPAN (switched port analyzer)/port mirroring

This is a box with ports for incoming and outgoing network cabling and an inductor or optical splitter that physically copies the signal from the cabling to a monitor port. There are types for copper and fiber optic cabling. Unlike a SPAN, no logic decisions are made so the monitor port receives every frame—corrupt or malformed or not—and the copying is unaffected by load.

Passive test access point (TAP)

This is a powered device that performs signal regeneration (again, there are copper and fiber variants), which may be necessary in some circumstances. Gigabit signaling over copper wire is too complex for a passive tap to monitor, and some types of fiber links may be adversely affected by optical splitting. Because it performs an active function, the TAP becomes a point of failure for the links in the event of power loss.

Active TAP

is a command line packet capture utility for Linux, providing a user interface to the libpcap library.

tcpdump; The basic syntax of the command is: tcpdump -i eth0

works in conjunction with a packet capture or sniffer tool. You can either analyze a live capture to analyze frames as they are read by a sniffer or open a saved capture (.pcap) file. bundle a sniffer component with the analyzer in the same software package.Utility that can parse the header fields and payloads of protocols in captured frames for display and analysis. Also called a packet analyzer.

A protocol analyzer

One function of a _____ is to parse each frame in a stream of traffic to reveal its header fields and payload contents in a readable format.

protocol analyzer

is an open source graphical packet capture and analysis utility, with installer packages for most operating systems.

Wireshark (wireshark.org)

Another function of a _______ is to perform traffic analysis. Rather than reading each frame individually, you use the tool to monitor statistics related to communications flows, such as bandwidth consumed by each protocol or each host, identifying the most active network hosts, monitoring link utilization and reliability, and so on.

protocol analyzer

How can the detail of the information shown about each frame be increased in tcpdump? -Using the -w switch -Using the -i switch -Using the -v, -vv, or -vvv switches -Using the -e switch

-Using the -v, -vv, or -vvv switches The -v, -vv, and -vvv switches in tcpdump are used to increase the verbosity or the amount of detail shown about each captured frame. The more "v"s, the more detailed the output, allowing for a deeper analysis of the packet contents. The -w switch writes output to a file, not increases detail. The -i switch specifies the interface to listen on, not increases detail. The -e switch shows the Ethernet header, not increases the overall detail of the frame information

Which option is used with tcpdump to specify the network interface to listen on? -i -w -v -e

-i

Why might an aggregation TAP drop frames under heavy load? -Because it cannot handle encrypted traffic -Because it does not support gigabit signaling -Because it rebuilds streams into a single channel -Because it requires a direct internet connection

-Because it rebuilds streams into a single channel

In Wireshark, where can you access tools for traffic analysis? -File menu -Edit menu -Statistics menu -Tools men

-Statistics menu

The data transferred over a period. This can either be measured as the amount of data traffic both sent and received (measured in bits or bytes per second or a multiple thereof) or calculated as a percentage of the available bandwidth.

Utilization

Packet or byte counts for a specific protocol. It is often useful to monitor both packet counts and bandwidth consumption. High packet counts will incur processing load on the CPU and system memory resources of the appliance, even if the size of each packet is quite small.

Per-protocol utilization

The number of packets per second that cause errors. Errors may occur as a result of interference or poor link quality causing data corruption in frames. In general terms, error rates should be under 1%; high error rates may indicate a driver problem if a network media problem can be ruled out.

Error rate

An interface may discard incoming and/or outgoing frames for several reasons. Each interface is likely to class the type of discard or drop separately to assist with troubleshooting the precise cause.

Discards/drops

Errors and discards/drops mean that frames of data are lost during transmission between two devices. As a result, the communication will be incomplete, and the data will, therefore, have to be retransmitted to ensure application data integrity. If you observe high levels of retransmissions (as a percentage of overall traffic), you must analyze and troubleshoot the specific cause of the underlying packet loss, which could involve multiple aspects of network configuration and connectivity.

Retransmissions

is configured on network appliances (switches, routers, and firewalls). Each flow is defined on an exporter. A traffic flow is defined by packets that share the same characteristics, such as Source IP Address, Destination IP Address, Source Port, Destination Port, and Protocol. These five bits of information are referred to as a 5-tuple. A 7-tuple flow adds the input interface and IP type of service data. Each ____ caches data for newly seen flows and sets a timer to determine flow expiration. When a flow expires or becomes inactive, the ____transmits the data to a collector.

A NetFlow exporter

aggregates flows from multiple exporters. A large network can generate huge volumes of flow traffic and data records, so the collector needs a high-bandwidth network link and substantial storage capacity. The exporter and ____ must support compatible versions of NetFlow and/or IPFIX. The most widely deployed versions of NetFlow are v5 and v9.

A NetFlow collector

reports and interprets information by querying the collector and can be configured to generate alerts and notifications. In practical terms, the collector and _______ components are often implemented as a single product.

A NetFlow analyzer

are the interfaces generating the most outgoing traffic (in terms of bandwidth), while top listeners are the interfaces receiving the most incoming traffic.

Top talkers

These test how fast the local broadband link to the Internet is. They are mostly designed for SOHO use. The tool will test downlink and uplink speeds, will test latency using ping, and can usually compare the results with neighboring properties and other users of the same ISP.

Broadband speed checkers

These query a nominated website to work out how quickly pages load. One of the advantages of an online tool is that you can test your site's response times from the perspective of customers in different countries.

Website performance checkers

classifies each packet passing through a device. Router policies can then be defined to use the packet classification to prioritize the delivery. is an IP (layer 3) service tagging mechanism. It uses the Type of Service field in the IPv4 header (Traffic Class in IPv6). The field is populated with a 6-byte DiffServ Code Point (DSCP) by either the sending host or by the router. Packets with the same DSCP and destination are referred to as behavior aggregates and allocated the same Per Hop Behavior (PHB) at each DiffServ-compatible router.

The Differentiated Services (DiffServ) framework

DiffServ traffic classes are typically grouped into three types:

Best Effort. Assured Forwarding (which is broken down into sub-levels). Expedited Forwarding (which has the highest priority).

categorize protocols into groups requiring different service levels and provide a tagging mechanism to identify a frame or packet's class.

class of service (CoS)

In terms of QoS, network functions are commonly divided into three planes:

Control plane Data plane Management plane

Makes decisions about how traffic should be prioritized and where it should be switched.

Control plane

Handles the actual switching of traffic.

Data plane

Monitors traffic conditions.

Management plane

delay certain packet types—based on their content—to ensure that other packets have a higher priority. This can help to ensure that latency is reduced for critical applications.

Traffic shapers

What is the primary function of traffic shapers? -To increase the speed of packet delivery -To delay certain packet types based on their content -To categorize protocols into different service levels -To monitor traffic conditions and generate reports

-To delay certain packet types based on their content

What is a potential consequence of using traffic policing devices instead of traffic shapers? -Increased latency for non-critical applications -More efficient use of available bandwidth -Fewer lost packets during periods of congestion -Under-utilization of bandwidth during idle periods

-Under-utilization of bandwidth during idle periods

What are latency and jitter in the context of network performance? -Types of network security protocols -Measures of network speed and efficiency -Problems of timing and sequence of packet delivery -Techniques for optimizing bandwidth usage

-Problems of timing and sequence of packet delivery

What type of data transfer is described as bursty? -Real-time video streaming -Voice over IP (VoIP) -File transfer -Live audio broadcasting

-File transfer

What is the primary purpose of monitoring individual interface statistics in a network? -To increase the network speed -To diagnose performance issues -To reduce the cost of network maintenance -To enhance the security of network communications

-To diagnose performance issues

What role does a NetFlow exporter play in a network -It aggregates flows from multiple collectors. -It analyzes and reports flow information. -It defines cache flows. -It increases the bandwidth of the network.

-It defines cache flows.

What is considered an acceptable error rate in general terms? -Under 1 percent -Exactly 5 percen -Under 10 percent -Over 15 percent

-Under 1 percent

Which of the following is NOT a traffic class defined by DiffServ? -Best Effort -Assured Forwarding -Expedited Forwarding -Maximum Throughput

-Maximum Throughput

Three principles of security control and management. Also known as the information security triad. Also referred to in reverse order as the AIC triad.

CIA triad Confidentiality Integrity Availability

means that certain information should only be known to certain people.

Confidentiality

means that the data is stored and transferred as intended and that any modification is authorized.

Integrity

means that information is accessible to those authorized to view or modify it.

Availability

A weakness that could be accidentally triggered or intentionally exploited to cause a security breach.

Vulnerability

The potential for someone or something to exploit a vulnerability and breach security. may be intentional or unintentional.

Threat; The person or thing that poses the threat is called a threat actor or threat agent. The path or tool used by a malicious threat actor can be referred to as the attack vector.

The likelihood and impact (or consequence) of a threat actor exercising a vulnerability.

Risk; Assessing risk helps you decide which vulnerabilities to prioritize patching and what additional security measures to implement.

Vulnerability + Threat =

Risk (Impact*Likelihood)

ensure that an organization has evaluated the risks it faces and has put security controls in place to mitigate those risks.

Security policies

Making a system more secure is also referred to as

hardening

is a process for identifying, assessing, and mitigating vulnerabilities and threats to the essential functions that a business must perform to serve its customers. is complex and treated very differently in companies and institutions of different sizes, and with different regulatory and compliance requirements.

Risk management

is something designed to give a system or data asset the properties of confidentiality, integrity, availability, and non-repudiation.

A security control

is a subset of risk management where the company's systems and procedures are audited for risk factors. Separate assessments can be devised to perform an initial evaluation and ongoing monitoring of threats, vulnerabilities, and security posture.

Risk assessment

The overall status of risk management is referred to as ____ .shows which risk response options can be identified and prioritized.

risk posture

is often performed with reference to an IT or security framework. The framework can be used to assess the organization’s maturity level in its use of security policies and controls. Audit process and tools for verifying compliance with a compliance framework or configuration baseline. For example verifying compliance with a health policy by using host health checks.

Posture assessment

are comprehensive reviews designed to ensure an organization's security posture aligns with established standards and best practices. including compliance audits, which assess adherence to regulations; risk-based audits, which identify potential threats and vulnerabilities in an organization's systems and processes; and technical audits, which delve into the specifics of the organization's IT infrastructure, examining areas such as network security, access controls, and data protection measures.

Cybersecurity audits

is one that cannot be deferred. This means that the organization must be able to perform the function as close to continually as possible, and if there is any service disruption, the mission essential functions must be restored first. Business or organizational activity that is too critical to be deferred for anything more than a few hours, if at all.

A mission essential function (MEF)

is the process of assessing what losses might occur for a range of threat scenarios. Systematic activity that identifies organizational risks and determines their effect on ongoing, mission critical operations.

Business impact analysis (BIA)

imposes externally determined requirements on companies in certain industries or when processing certain types of data. These regulations might dictate the type of controls that must be deployed, and the type and frequency of audits. An organization might be subject to a compliance audit run by external auditors to verify that it is meeting the requirements of the regulations.

Regulatory compliance

is data that can be used to identify, contact, locate, or describe an individual. include name, date of birth, email address, telephone number, street address, biometric data, A Social Security number (SSN)

Personally identifiable information (PII)

is one example of privacy legislation governing the collection and processing of PII. means that personal data cannot be collected, processed, or retained without the individual's informed consent unless there are other overriding considerations, such as public interest or other legal obligations. Provisions and requirements protecting the personal data of European Union (EU) citizens. Transfers of personal data outside the EU Single Market are restricted unless protected by like-for-like regulations, such as the US's Privacy Shield requirements.

The European Union's General Data Protection Regulation (GDPR)

means that the data must be collected and processed only for the stated purpose, and that purpose must be clearly described to the user in plain language, not legal jargon.

Informed consent

refers to a jurisdiction preventing or restricting processing and storage from taking place on systems that do not physically reside within that jurisdiction. In data protection, the principle that countries and states may impose individual requirements on data collected or stored within their jurisdiction.

Data sovereignty

for credit card information. An organization that directly processes credit card transactions must adopt the ____ standard to safeguard the cardholder data environment (CDE).. Payment card information comprises the card number, expiry date, and the three-digit card verification value (CVV). Cards are also associated with a PIN, but this should never be transmitted to or handled by the merchant.

Payment Card Industry Data Security Standard (PCI DSS)

system ensures that a computer system or network meets the goals of the CIA triad. governs how subjects may interact with objects. Subjects are people, devices, software processes, or any other system that can request and be granted access to a resource. Objects are the resources. An object could be a network, server, database, app, or file. Subjects are assigned rights or permissions on resources.

Access control

converts a human-readable plaintext into a ciphertext. A ciphertext must be decrypted using a key linked to the initial encryption process before it can be read. This makes data confidential, so long as the key is only available to authorized persons.

An encryption algorithm

converts a variable length string into a fixed-length hash. This hash cannot be converted back to a plaintext. This can prove the integrity of data (verifying that it has not been modified). It is also used for password storage and in other authentication solutions.

A cryptographic hash algorithm

The state in which data is in some sort of persistent storage media.

Data at rest

The state in which data is transmitted over a network.

Data in transit (or data in motion)

The state in which data is present in volatile memory, such as system RAM or CPU registers and cache.

Data in use (or data in processing)

is the specific code or method of using a vulnerability to gain control of a system or damage it in some way.

An exploit

A vulnerability that is exploited before the developer knows about it or can release a patch is called a

zero-day.

is an evaluation of a system's security and ability to meet compliance requirements based on the configuration state of the system. determines if the current configuration matches the ideal configuration (the baseline). might involve manual inspection of security controls but are more often accomplished through automated vulnerability scanners.

A vulnerability assessment

is a decoy computer system designed to attract attackers. provide early warning of attack attempts and valuable insights into attacker behavior. is an entire decoy network. This may be set up as an actual network or simulated using an emulator.

A honeypot

What does "integrity" in the context of the CIA Triad mean? -The data is stored and transferred as intended and that any modification is authorized. -Information is accessible to those authorized to view or modify it. -Certain information should only be known to certain people. -The system is protected against unauthorized access and attacks.

-The data is stored and transferred as intended and that any modification is authorized.

is the process of identifying threat sources and profiling the types and capabilities of threat actors.

Threat assessment

is one that has no account or authorized access to the target system. must infiltrate the security system using malware and/or social engineering.

An external threat actor or agent

is one that has been granted permissions on the system. This typically means an employee, can also arise from contractors and business partners.

an internal (or insider) threat actor

is a counterintelligence gathering effort in which security companies and researchers attempt to discover the tactics, techniques, and procedures (TTPs) of threat actors.

Threat research

The outputs from the primary research undertaken by security solutions providers and academics can take three main forms:

behavioral threat research Reputational threat intelligence Threat data

Narrative commentary describing examples of attacks and TTPs gathered through primary research sources.

Behavioral threat research

Lists of IP addresses and domains associated with malicious behavior, plus signatures of known file-based malware

Reputational threat intelligence

Computer data that can correlate events observed on a customer's own networks and logs with known TTP and threat actor indicators.

Threat data

allows a threat actor to discover the topology and general configuration of the network and security systems. can be done by social engineering attacks—persuading users to give information or locating information that has been thrown out as trash, for instance. Port scanning specifically aims to enumerate the TCP or UDP application ports on which a host will accept connections.

Footprinting

allows a threat actor to identify device and OS types and versions. When a host running a particular operating system responds to a port scan, the syntax of the response might identify the specific operating system. This fact is also true of application servers, such as web servers, FTP servers, and mail servers. The responses these servers make often include headers or banners that can reveal a great deal of information about the server. A threat actor can use this information to probe for known vulnerabilities.

Fingerprinting

covers a wide range of different attacks. can include any type of attack where the threat actor disguises their identity, or in which the source of network information is forged to appear legitimate. Social engineering and techniques such as phishing and pharming, where the attacker sets up a false website in imitation of a real one. Attack technique where the threat actor disguises his or her identity or impersonates another user or resource.

"spoofing"

attack causes a service at a given host to fail or to become unavailable to legitimate users. focus on overloading a service by using up CPU, system RAM, disk space, or network bandwidth. might involve cutting telephone lines or network cabling or switching off the power to a server.

A denial of service (DoS)

is launched simultaneously by multiple hosts. simply aim to consume network bandwidth, denying it to legitimate hosts. Others cause resource exhaustion on the hosts processing requests, consuming CPU cycles and memory. The problem is that a server may only be able to manage a limited number of pending connections, which the __ attack quickly fills up. This means that the server is unable to respond to genuine requests.

A distributed DoS (DDoS)

A more powerful TCP SYN flood attack is a type of ______ . In this attack, the adversary spoofs the victim's IP address and attempts to open connections with multiple servers. Those servers direct their SYN/ACK responses to the victim server. This rapidly consumes the victim's available bandwidth.

distributed reflection DoS (DRDoS) or amplification attack

is a group of compromised hosts that can be used to launch DDoS and DRDoS attacks. A threat actor will first compromise one or two machines to use as handlers or herders. The handlers are used to compromise hundreds, thousands, or even millions of zombie hosts and install DDoS tools on them

A botnet

The network established between the handlers and the bots is called a

command and control (C2 or C&C) network.

can be defined simply as software that does something bad, from the perspective of the system owner. such as Trojan, virus, and worm, focus on the vector used by the ___. The vector is the method by which the ____ executes on a computer and potentially spreads to other network hosts.

malware

These represent some of the first types of malware and spread without any authorization from the user by being concealed within the executable code of another process. ____ infect files, while _____can infect processes running in system memory.

Viruses, Worms

Malware concealed within an installer package for software that appears to be legitimate. This type of malware does not seek any type of consent for installation and is actively designed to operate secretly.

Trojan

Software installed alongside a package selected by the user or perhaps bundled with a new computer system. It may have been installed without active consent or consent from a purposefully confusing license agreement. This type of software is sometimes described as grayware rather than malware.

Potentially unwanted programs (PUPs)/Potentially unwanted applications (PUAs)

Other classifications are based on the ____delivered by the malware. The ____ is an action performed by the malware other than simply replicating or persisting on a host. Examples of ____ classifications include spyware, rootkit, remote access Trojan (RAT) or backdoor, and ransomware.

payload

does not write its code to disk. The malware uses memory-resident techniques to run in its own process, within a host process or dynamic link library (DLL), or within a scripting host. This does not mean that there is no disk activity at all, however. The malware may change registry values to achieve persistence (executing if the host computer is restarted). The initial execution of the malware may also depend on the user running a downloaded script, file attachment, or Trojan software package.

Fileless malware

Fileless malware uses lightweight _____ to achieve a backdoor mechanism on the host. The _____ is easy to recompile in an obfuscated form to evade detection by scanners. It is then able to download additional packages or payloads to achieve the threat actor's objectives. These packages can also be obfuscated, streamed, and compiled on the fly to evade automated detection.

shellcode

Fileless malware may use ___ techniques rather than compiled executables to evade detection. This means that the malware code uses legitimate system scripting tools, notably PowerShell and Windows Management Instrumentation (WMI), to execute payload actions. If they can be executed with sufficient permissions, these environments provide all the tools the attacker needs to perform scanning, reconfigure settings, and exfiltrate data.

"live off the land"

What does the payload of malware refer to? -The size of the malware file -The method by which the malware spreads -The malware action other than replication -The amount of data the malware can steal

-The malware action other than replication. The payload of malware refers to the specific actions it performs on the infected system, aside from spreading or replicating. These actions can include damaging files, stealing data, or installing additional malicious software. This distinguishes the payload from the method of spread (vector) or the characteristics of the malware file itself.

is a specific type of spoofing attack where a threat actor compromises the connection between two hosts and transparently intercepts and relays all communications between them. The threat actor might also have the opportunity to modify the traffic before relaying it.

An on-path attack; also known by the term "Man-in-the-Middle (MitM); The terms "Manipulator in the Middle," "Machine in the Middle," and "Adversary in the Middle (AitM)" are also used as replacements.

A host can arbitrarily select any MAC and/or IP address and attempt to use it on the network. While each network interface has a burned-in MAC address, this can be changed to any arbitrary value using packet crafting software. A threat actor might exploit this to spoof the value of a valid MAC or IP address to try to circumvent an access control list or impersonate a legitimate server.

MAC Spoofing and IP Spoofing

is a common means of perpetrating an on-path attack. It works by broadcasting unsolicited ARP reply packets, also known as gratuitous ARP replies, with a source address that spoofs a legitimate host or router interface. Because ARP has no security, all devices in the same broadcast domain as the rogue host trust this communication and update their MAC:IP address cache table with the spoofed address. The ARP cache is said to be poisoned. Because the threat actor broadcasts endless ARP replies, it overwhelms the legitimate interface.

ARP spoofing

A variation of an ARP poisoning attack where a switch's cache table is inundated with frames from random source MAC addresses. Where ARP poisoning is directed at hosts, _____ is used to attack a switch. The intention of the attacker is to exhaust the memory used to store the switch's MAC address table. The switch uses the MAC address table to determine which port to use to forward unicast traffic to its correct destination. Overwhelming the table can cause the switch to stop trying to apply MAC-based forwarding and flood unicast traffic out of all ports, working as a hub. This makes sniffing network traffic easier for the threat actor.

MAC flooding

is an attack designed to send traffic to a VLAN other than the one the host system is in. This exploits the default VLAN feature of 802.1Q. Default VLANs are designed to provide compatibility with non-VLAN capable switches. The attacker, using a device placed in the default VLAN, crafts a frame with two VLAN tag headers. The first trunk switch to inspect the frame strips the first header, and the frame gets forwarded to the target VLAN. Such an attack can only send packets one way but could be used to perform a DoS attack against a host on a different VLAN.

VLAN hopping

is normally configured on a network with several switches. The primary purpose is to prevent switching loops. To make STP work, a single switch is designated as the root bridge. If an attacker can become the root bridge, they are then able to see a variety of frames that they normally wouldn't see. To perpetrate this attack, the attacker inserts their switch into the tree and manipulates it to appoint their switch as the root bridge.

Spanning Tree Protocol (STP) manipulation attack

What is an on-path attack? -A type of physical attack where the attacker physically intercepts a data transmission. -A type of spoofing attack where a threat actor intercepts communications between two hosts. -A cyber-attack that exclusively targets the path of data storage devices. -An attack where the threat actor creates a new path in a network to reroute data.

-A type of spoofing attack where a threat actor intercepts communications between two hosts.

What happens when a switch's MAC address table is overwhelmed due to a MAC flooding attack? -The switch only forwards traffic to the attacker's port. -The switch begins to function as a hub. -The switch automatically shuts down for security reasons -The switch increases its memory capacity automatically.

-The switch begins to function as a hub.

When a device or service on your network isn't under the administrative control of the network staff, it's called a ____. ___ devices and services are often completely malicious. They exist for the sole purpose of stealing sensitive information such as credit card numbers and passwords. could include wireless access point, DHCP servers, DNS servers, and so on.

rogue

may be deployed accidentally (forgetting to disable a DHCP server in an access point or router, for instance) or may be used by a malicious threat actor to subvert the network. A threat actor would normally use a rogue server to change the default gateway and/or DNS resolver addresses for the subnet and route communications via their machine.

A rogue DHCP server

uses bogus requests to use up leases in a legitimate DHCP server's address pool. An exhausted DHCP scope means legitimate hosts cannot obtain a lease. might be a denial of service (DoS) mechanism or be used to force legitimate hosts to obtain a lease from a rogue DHCP server.

A DHCP starvation attack

attacks might use _____ techniques to cause victims to confuse malicious sites with legitimate ones.

typosquatting

On a private network, a DNS attack is likely to mean some sort of _____ These DNS attacks compromise the process by which clients query name servers to locate the IP address for a domain name.

DNS spoofing or DNS poisoning. DNS spoofing and poisoning attacks are often taken to mean the same thing, but technically spoofing is using false DNS requests or replies or running a rogue DNS service, while poisoning is manipulating cached records.

If the threat actor has access to the same local network as the victim, the attacker can use ARP poisoning to respond to DNS queries from the victim with spoofed replies. This might be combined with a denial of service attack on the victim's legitimate DNS server. A rogue DHCP could be used to configure clients with the address of a DNS resolver controlled by the threat actor.

DNS-Based On-Path Attacks

Therefore, if an attacker is able to place a false name:IP address mapping in the HOSTS file and effectively poison the DNS cache, they will be able to redirect traffic.

DNS Client Cache Poisoning

aims to corrupt the records held by the DNS server itself.One attack method involves getting the victim name server to respond to a recursive query from the attacking host. A recursive query compels the DNS server to query the authoritative server for the answer on behalf of the client. The attacker's DNS, masquerading as the authoritative name server, responds with the answer to the query, but also includes a lot of false domain:IP mappings for other domains that the victim DNS accepts as genuine. The nslookup or dig tool can be used to query the name records and cached records held by a server to discover whether any false records have been inserted.

DNS server cache poisoning

refers to a collection of techniques and tricks designed to gain some type of unauthorized access to premises or data.

Social engineering

takes advantage of the unintentional actions of others to gather information or gain access to a secure facility.

Passive social engineering

involves direct interaction with users, asking them to disclose information or take actions.

Active social engineering

(pretending to be someone else) is one of the basic social engineering techniques.

Impersonation

is a combination of social engineering and spoofing. It persuades or tricks the target into interacting with a malicious resource disguised as a trusted one, traditionally using email as the vector.

Phishing

A threat actor can learn a password or PIN (or other secure information) by watching the user type it. This is referred to as a they could use high-powered binoculars or CCTV to directly observe the target remotely.

shoulder surfing attack

is a means of entering a secure area without authorization by following closely behind the person that has been allowed to open the door or checkpoint.

Tailgating

is a similar situation but means that the attacker enters a secure area with an employee's permission.

. Piggybacking

refers to combing through an organization's (or individual's) garbage to try to find useful documents (or even files stored on discarded removable media).

Dumpster diving

In most cases, a password is stored and transmitted securely by making a cryptographic hash of the string entered by the user. A cryptographic hash algorithm, such as ______, produces a fixed-length string from a variable-length string.

Secure Hash Algorithm (SHA) or Message Digest v5 (MD5)

The software matches the hash to those produced by ordinary words found in a dictionary. This could also include information such as user and company names, pet names, or any other data that people might naively use as passwords.

Dictionary

The software tries to match the hash against one of every possible combination it could be. If the password is short (under eight characters) and non-complex (using only letters, for instance), a password might be cracked in minutes. Longer and more complex passwords increase the amount of time the attack takes to run.

Brute force

governs how subjects/principals may interact with objects. When implemented on a computer system or network, ____ is a type of logical security. Modern _____ is typically implemented as an identity and access management (IAM) system.

access control

IAM comprises four main processes:

Identification - Creating an account or ID that uniquely represents the user, device, or process on the network. Authentication - Proving that a subject is who or what it claims to be when it attempts to access the resource. An authentication factor determines what sort of credential the subject can use. For example, people might be authenticated by providing a password; a computer system could be authenticated using a token such as a digital certificate. Authorization - Determining what rights subjects should have on each resource, and enforcing those rights. An authorization model determines how these rights are granted. For example, in a discretionary model, the object owner can allocate rights. In a mandatory model, rights are predetermined by system-enforced rules and cannot be changed by any user within the system. Accounting - Tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted.

The type of data used to create a credential is called an authentication factor. Authentication factors fall into the following categories:

Knowledge factor—Something you know (such as a password). Ownership factor—Something you have (such as a smart card). Human or biometric factor—Something you are (such as a fingerprint). Behavioral factor—Something you do (such as making a signature). Location factor—Somewhere you are, such as only being able to log into an account from a specific location, known as geofencing. Time factor—Somewhen you are (such as only being permitted to start a session during work hours or using an access token before it expires).

is the software architecture and code that underpins the mechanism by which the user is authenticated before starting a shell. This is usually described as a login (Linux) or a logon or sign-in (Microsoft). Knowledge-based authentication, using a password or PIN, is the default _____ for most operating systems.

authentication provider

The Local Security Authority (LSA) compares the submitted credential to a hash stored in the Security Accounts Manager (SAM) database, which is part of the registry. This is also referred to as interactive logon.

Windows local sign-in

The LSA can pass the credentials for authentication to a network service. The preferred system for network authentication is based on Kerberos, but legacy network applications might use NT LAN Manager (NTLM) authentication.

Windows network sign-in

If the user's device is not connected to the local network, authentication can take place over some type of virtual private network (VPN) or web portal.

Remote sign-in

In Linux, local user account names are stored in

/etc/passwd

When a user logs in to a local interactive shell, the password is checked against a hash stored in ___

/etc/shadow

is a package for enabling different authentication providers, such as smart card login. can also be used to implement authentication to network servers.

A pluggable authentication module (PAM)

allows the user to authenticate once to a local device and be authorized to access compatible application servers without having to enter credentials again.

A single sign-on (SSO) system

One means of implementing SSO is the _____. provides SSO authentication to Active Directory, as well as compatibility with other, non-Windows operating systems. was named after the three-headed guard dog of Hades (Cerberus) because it consists of three parts: Client (which requests services), Server (from which the service is requested) and a Key Distribution Center (KDC)—to vouch for their identity.

Kerberos framework

There are two services that make up a KDC (Key Distribution Center)

the Authentication Service and the Ticket Granting Service.

is responsible for authenticating user logon requests. More generally, users and services can be authenticated; these are collectively referred to as principals.

The Authentication Service

also referred to as asymmetric encryption, solves the problem of distributing encryption keys when you want to communicate securely with others, authenticate a message that you send to others, or authenticate yourself to an access control system.

Public key cryptography

When you want others to send you confidential messages

you give them your public key to use to encrypt the message. The message can then only be decrypted by your private key, which you keep known only to yourself. Due to the way asymmetric encryption works, the public key cannot be used to decrypt a message, even though it was used to encrypt it in the first place.

When you want to authenticate yourself to others

you create a signature using your private key. You give others your public key to use to verify the signature. As only you know the private key, everyone can be assured that only you could have created the signature.

aims to prove that the owners of public keys are who they say they are. anyone distributing public keys should obtain a digital certificate. The validity of the certificate is guaranteed by a certificate authority (CA). A digital certificate is essentially a wrapper for a subject's (or end entity's) public key. As well as the public key, it contains information about the subject and the certificate's issuer or guarantor. The certificate is digitally signed to prove that it was issued to the subject by a particular CA.

Under Public key infrastructure (PKI)

A digital certificate that has been signed by the entity that issued it, rather than by a CA

self-signed certificate

refers to operational considerations for the various stages in the lifecycle of an encryption key or key pair.

Key management

A key's lifecycle may involve the following stages:

Key Generation—Creates an asymmetric key pair or symmetric secret key of the required strength, using the chosen cipher. Storage—Prevents unauthorized access to a private or secret key and protects against loss or damage. Revocation—Prevents use of the key if it is compromised. If a key is revoked, any data that was encrypted using it should be re-encrypted using a new key. Expiration and Renewal—Gives the certificate that validates the key a "shelf-life" to increase security. Every certificate expires after a certain period. Certificates can be renewed with the same key pair or with a new key pair.

Creates an asymmetric key pair or symmetric secret key of the required strength, using the chosen cipher.

Key Generation

Prevents unauthorized access to a private or secret key and protects against loss or damage.

Storage

Prevents use of the key if it is compromised. If a key is revoked, any data that was encrypted using it should be re-encrypted using a new key.

Revocation

Gives the certificate that validates the key a "shelf-life" to increase security. Every certificate expires after a certain period. Certificates can be renewed with the same key pair or with a new key pair.

Expiration and Renewal

means that keys are generated and managed directly on the computer or user account that will use the certificate. This does not require any special setup and so is easy to deploy. It makes the detection of key compromise more difficult, however.

A decentralized key management model

In one type of cryptographic key management system, a dedicated server or appliance is used to generate and store keys. When a device or app needs to perform a cryptographic operation, it uses the _____ to communicate with the server.

Key Management Interoperability Protocol (KMIP)

____ is the notion that a network needs to be accessible to more than just a well-defined group of employees. In business, a company might need to make parts of its network open to partners, suppliers, and customers. ___- means that the company trusts accounts created and managed by a different network.

Federation

These interoperable federation protocols use claims-based identity. While the technical implementation and terminology is different, the overall model is similar to that of Kerberos SSO:

A service provider (SP) establishes a trust relationship with an identity provider (IdP). The principal attempts to access a service provider. The service provider redirects the principal to the IdP. The principal authenticates with the identity provider. If authentication is successful, the principal obtains a claim, in the form of some sort of token or document signed by the IdP. The principal presents the claim to the service provider. The SP can validate that the IdP has signed the claim because of its trust relationship with the IdP.

A federated network or cloud needs specific protocols and technologies to implement user identity assertions and transmit claims between the principal, the service provider, and the identity provider. _____ is one such solution. assertions (claims) are written in eXtensible Markup Language (XML). Communications are established using HTTP/HTTPS and the Simple Object Access Protocol (SOAP). The secure tokens are signed using the XML signature specification. The use of a digital signature allows the relying party to trust the identity provider.

Security Assertion Markup Language (SAML)

Remote authentication is typically used in two scenarios:

Authenticating with a cloud provider or web host or joining a virtual private network (VPN). With a VPN, the remote user connects to a remote access server on the perimeter of the private network. Authenticating with a different host over a private network. Administrators commonly need to manage switches, routers, and servers. Rather than go to the device and start a local console session, they use Secure Shell (SSH) or Remote Desktop Protocol (RDP) to start a session over the network from their management workstation or laptop. The target device must be running an SSH server service or RDP terminal access server.

To mitigate these issues, remote access usually uses an authentication, authorization, and accounting (AAA) architecture. AAA uses the following components:

Supplicant—The device requesting access, such as a user's PC or laptop. Network access server (NAS) or network access point (NAP)—Edge network appliances, such as switches, access points, and VPN gateways. These are also referred to as AAA clients or authenticators. AAA server—The authentication server, positioned within the local network. This server either holds a database of accounts and credentials or has access to a directory server that can authenticate requests and issue SSO authorizations. There are two main types of AAA server: RADIUS and TACACS+.

is very widely used for client device access over VPNs. typically uses UDP ports 1812 and 1813.

Remote Authentication Dial-In User Service (RADIUS)

is a similar protocol to RADIUS but designed to be more flexible and reliable. was developed by Cisco but is also supported on many of the other third-party and open source RADIUS server implementations. Where RADIUS is often used for network access control over end user devices, ____ is often used in authenticating administrative access to routers and switches. It uses TCP over port 49, and the reliable delivery offered by TCP makes it easier to detect when a server is down.

Terminal Access Controller Access Control System (TACACS+)

What is a key component of federated identity management? -Active Directory -Claims-based identity -Password synchronization -Single sign-on with a single password for all accounts

-Claims-based identity Federated identity management often relies on claims-based identity, where a user's identity is verified through claims (like tokens or documents) issued by a trusted identity provider. This method is crucial for interoperability between different platforms and networks.

What is a key difference between RADIUS and TACACS+ in terms of protocol functionality? -RADIUS encrypts the entire authentication process, while TACACS+ does not. -TACACS+ separates AAA functions, while RADIUS does not. -TACACS+ uses UDP for communication, while RADIUS uses TCP. -TACACS+ is only used for wireless access, while RADIUS is not.

-TACACS+ separates AAA functions, while RADIUS does not. TACACS+ provides more flexibility by separating authentication, authorization, and accounting functions into discrete processes. This separation allows for more granular control over each aspect of the access control process.

Why are behavioral, location, and time factors not reliable enough to be used as single factors in authentication? -They are too easy to fake. -They are not specific or reliable enough. -They are too difficult to measure. -They are not recognized by authentication systems.

-They are not specific or reliable enough.

What does the Ticket Granting Ticket (TGT) provide in the Kerberos authentication process? -Immediate access to all network resources -A token that grants access to a target application server -Authentication for user logon requests -The ability to request Service Tickets from the TGS

-The ability to request Service Tickets from the TGS The Ticket Granting Ticket (TGT) is provided by the KDC after a user is authenticated. It does not grant immediate access to resources or authenticate logon requests. Instead, it enables the client to request Service Tickets from the Ticket Granting Service (TGS), which are then used to access specific services or resources within the network.

What framework does Windows use to provide Single Sign-On (SSO) authentication -OAuth -LDAP -Kerberos -SAML

-Kerberos Windows uses the Kerberos framework to provide Single Sign-On (SSO) authentication. Kerberos allows users to authenticate once to a local device and then access compatible application servers without needing to re-enter credentials. It is particularly used for authenticating users within Active Directory environments.

What is the preferred system for Windows network authentication? -NT LAN Manager (NTLM) -Kerberos -OAuth -SAML

-Kerberos

What is a mandatory model in authorization? -A model where rights are allocated by the system administrator -A model where rights are predetermined by system-enforced rules -A model based on the subject's role -A model based on the subject's attributes

-A model where rights are predetermined by system-enforced rules

is based on the primacy of the resource owner. every resource has an owner. The owner creates a file or service although ownership can be assigned to another user. The owner has full control over the resource, and they can modify its access control list (ACL) to grant rights to others.

Discretionary access control (DAC)

means that an organization defines its authorizations in terms of the tasks that an employee or service must be able to perform. Each set of permissions is a role. Each principal (user or service account) is allocated to one or more roles. Under this system, the right to modify the permissions assigned to each role is reserved to a system owner. Therefore, the system is nondiscretionary as each principal cannot modify the ACL of a resource, even though they can change the resource in other ways. Principals gain rights implicitly (through being assigned to a role) rather than explicitly (being assigned the right directly).

Role-based access control (RBAC)

refers to policies, procedures, and technical controls to prevent the malicious abuse of privileged accounts by internal threat actors and to mitigate risks from weak configuration control over authorizations.

Privileged access management (PAM)

means that a user is granted sufficient rights to perform their job and no more. This mitigates risk if the account should be compromised and fall under the control of a threat actor. Authorization creep refers to a situation where a user acquires more and more rights, either directly or by being added to security groups and roles. Least privilege should be ensured by closely analyzing business workflows to assess what privileges are required and by performing regular account audits.

Least privilege

is a means of establishing checks and balances against the possibility that critical systems or procedures can be compromised by insider threats. Duties and responsibilities should be divided among individuals to prevent ethical conflicts or abuse of powers.

Separation of duties

Protocol used to access network directory databases, which store information about authorized users and their privileges, as well as other organizational information. is not a directory standard, but a protocol used to query and update an X.500-like directory. is widely supported in current directory products, most notably in Windows Active Directory. Insecure ___ messaging uses TCP and UDP port 389 by default.

Lightweight Directory Access Protocol (LDAP)

The client must supply its distinguished name (DN) and password, but these are passed as plaintext.

Simple bind

This framework allows a client and server to negotiate authentication and encryption parameters to make a connection over TCP port 389 secure. The client and server negotiate the use of a supported authentication mechanism, such as Kerberos. The STARTTLS command can be used to require certificate-based encryption (sealing) and message integrity (signing).

Simple Authentication and Security Layer (SASL)

The server is installed with a digital certificate, which it uses to set up a secure Transport Layer Security (TLS) session to authenticate the server and protect the user's LDAP credentials and data. LDAPS uses port 636.

LDAP Secure (LDAPS)

Generally, two levels of access will need to be granted on the directory:

read-only access (query) and read/write access (update).

How does RBAC differ from using security groups for assigning permissions? -RBAC assigns permissions directly to users, while security groups do not. -RBAC is discretionary, while security groups are nondiscretionary. -RBAC focuses on job roles, while security groups are about user identity. -Security groups encrypt data, while RBAC does not.

-RBAC focuses on job roles, while security groups are about user identity.

What is the primary purpose of authorization in network systems? -To authenticate user identities -To allocate rights and permissions -To encrypt data -To monitor network traffic

-To allocate rights and permissions

What does an access key contain when generated by the server's security service for an authenticated user? -The user's password and login time -The user's username and group memberships -The IP address and MAC address of the user's device -The user's browsing history and application usage

-The user's username and group memberships

This system of focusing on the boundary between the public and private network and trusting everything that has connected via internal switches is called the _

perimeter security model.

Security strategy that positions the layers of diverse security control categories and functions as opposed to relying on perimeter controls. This refers to placing security controls throughout the network, so that all access attempts are authenticated, authorized, and audited.

defense in depth

What is the minimum recommended password length for network appliances according to the document? -8 characters -10 characters -12 characters -14 characters

-14 characters

What is the perimeter security model primarily focused on? -Trusting all connections within the internal network -Encrypting data stored on the network -Monitoring and controlling internal network traffic -Preventing unauthorized external access

-Trusting all connections within the internal network The perimeter security model focuses on securing the boundary between the public and private networks, essentially trusting everything that has connected via internal switches. This model assumes that if a connection has made it past the perimeter defenses, it can be trusted.

is a system for authenticating endpoints before they can fully connect to the network. This is principally designed to mitigate risks from rogue devices and services. A basic type of NAC can be implemented by configuring port security mechanisms. A general term for the collected protocols, policies, and hardware that authenticate and authorize access to a network at the device level.

Network access control (NAC)

means defining which MAC addresses are permitted to connect to a particular port. This can be done by creating a static lock list of valid MAC addresses or by specifying a limit to the number of permitted addresses. Applying an access control list to a switch or access point so that only clients with approved MAC addresses can connect to it

Configuring MAC filtering on a switch

If a host attempts to connect with a MAC address that violates policy, the switch port enters a violation state:

Protect mode Restrict mode Shutdown mode

means the port drops frames from the invalid source address but keeps the interface open otherwise. Protect mode can only be used with sticky MACs.

Protect mode

drops frames and logs and alerts violations but also keeps the interface open.

Restrict mode

disables the port and sends alerts. The port must be manually re-enabled using the no shutdown command. This is the default mode.

Shutdown mode

provides a framework for deploying multiple types of authentication protocols and technologies when an endpoint device needs to be authenticated before it can join the network. Framework for negotiating authentication methods that enable systems to use hardware-based identifiers, such as fingerprint scanners or smart card readers, for authentication and to establish secure tunnels through which to submit credentials.

The Extensible Authentication Protocol (EAP)

provides the means of using an EAP method when a device connects to an Ethernet switch port, wireless access point, or VPN gateway. A standard for encapsulating EAP communications over a LAN (EAPoL) or WLAN (EAPoW) to implement port-based authentication. uses authentication, authorization, and accounting (AAA) architecture. If the AAA protocol is RADIUS, the switch is configured as a RADIUS client by specifying the IP address or host name of the RADIUS server and setting a shared secret. only DHCP offers from ports configured as trusted are allowed.

IEEE 802.1X Port-Based Network Access Control (NAC)

perform similar functions to DAI and DHCP snooping for IPv6 networks. Most hosts have IPv6 enabled by default and disabling it can often cause unexpected problems. Consequently, these switch protections should be enabled to mitigate spoofing and on-path attacks over IPv6.

Neighbor Discovery (ND) Inspection and Router Advertisement (RA) Guard

Copying ingress and/or egress communications from one or more switch ports to another port. This is used to monitor communications passing over the switch. On a Cisco switch, this is referred to as a switched port analyzer (SPAN).

port mirroring

What does a health policy in NAC solutions typically require from a client? -A financial report -An attestation report -A user activity log -A network performance analysis

-An attestation report A health policy in NAC solutions typically requires a client to submit an attestation report. This secure report proves that the client is running an authorized OS and has up-to-date patches and security scanner configurations, ensuring the device meets security standards before accessing the network.

If traffic does not match any rule, a firewall can be configured to block the traffic by default. This is called an

implicit deny.

If the firewall is not configured for default implicit deny, an ____- all rule can be added manually to the end of the ACL.

explicit deny

forwards requests and responses on behalf of its clients. deconstructs each packet, performs analysis, and then rebuilds the packet and forwards it on, providing it conforms to the rules. could also perform address translation to convert between private and public addressing schemes.

proxy server

means that the client must be configured with the proxy server address and port number to use it. The port on which the proxy server accepts client connections is often configured as port 8080.

A nontransparent proxy

intercepts client traffic without the client having to be reconfigured.

A transparent (or "forced" or "intercepting")

provides for protocol-specific inbound traffic. Security and performance factors might make it unwise to allow hosts on a public network to connect directly to application servers. Instead, you can deploy a ____ and configure it to listen for client requests from a public network (the Internet) and create the appropriate request to the application server.

A reverse proxy server

is capable of applying Application layer filters based on HTTP data. It could also apply more general business rules, such as time-of-day restrictions. Security measure performed on email and Internet traffic to identify and block suspicious, malicious, and/or inappropriate content in accordance with an organization's policies.

, content filtering

A URL contains protocol (http or https, for instance), domain name, server path, and optionally query parameter components. A ____ can scan the URL embedded in an HTTP request and allow or block it. The filter might use simple domain filtering to block access to specific URLs that are known to host malicious content, are inappropriate, or violate the company's Internet usage policy. It could use regular expression pattern matching to filter by keywords or path and query parameters.

Uniform Resource Locator (URL) filtering

This filtering leverages continually updated databases that score websites based on their observed behavior and history. Sites known for hosting malware, engaging in phishing attacks, or distributing spam, for instance, would have a poor reputation score and could be automatically blocked. These databases can also sort websites into categories, such as social networking, gambling, adult content, webmail, or file sharing. Allowing or denying each category provides a simpler way to enforce web usage policies than allowing or denying individual URLs.

Content and reputation-based filtering

In security terms, the main unit of a logically segmented network is a __. an area of the network where the security configuration is the same for all hosts within it. is an area where all hosts have the same level of trust. Network traffic between ____ should be restricted by policies and rules. These rules are enforced by a security device—typically a firewall or proxy.

zone

Devices are subject to strict hardening and configuration management policies. Hosts, user accounts, and traffic with permission to operate in the zone are continually monitored to ensure compliance with security policies.

Private server administrative networks

Devices are subject to security policies and monitoring, but the diverse range of technologies and permissions to use public networks make the zone less than fully trusted.

Private client network

Unmanaged devices are allowed to connect, subject to some restrictions and monitoring. This zone is typically untrusted and would not be allowed access to trusted networks.

Guest

Devices are fully managed but accept connections from unmanaged public clients. Consequently, hosts within this zone are only partially trusted.

Public server network

The zone is unmanaged and therefore untrusted.

Public

Internet-facing hosts are placed in a ____. The basic principle of a ____ is that traffic cannot pass through it directly. enables external clients to access data on private systems, such as web servers, without compromising the security of the internal network.

perimeter network zone

To configure a perimeter network, two different security configurations must be enabled:

one on the external interface and one on the internal interface.

uses two firewalls placed on either side of the perimeter network zone. The screening firewall restricts traffic on the external/public interface and allows permitted traffic to the hosts in the perimeter zone subnet. A segment isolated from the rest of a private network by one or more firewalls that accepts connections from the Internet over designated ports. Formerly referred to as a demilitarized zone (DMZ), this usage is now deprecated.

A screened subnet

The internal firewall filters communications between hosts in the perimeter and hosts on the LAN. This firewall is often described as the _____. A __ is a purposefully narrow gateway that facilitates better access control and easier monitoring.

choke firewall; choke point

A perimeter network can also be established using one router/firewall appliance with three (or more) network interfaces, referred to as ______. One interface is the public one, another is the perimeter subnet, and the third connects to the LAN.

triple homed.

performs real-time analysis of either network traffic or system and application logs. is configured with signature patterns. Each pattern represents a known type of malicious activity. If a pattern is matched in a traffic stream, the ____ raises an alert. Like antivirus software, the ___ must be kept up to date with the latest signature patterns. is often also configured with automated threat data, such as lists of IP addresses and domains that are associated with threat actors.

An intrusion detection system (IDS)

first defines a baseline of normal network traffic and then monitors it. It then looks for anything that falls outside that baseline. The main drawback is that ______ generates high levels of false positives, where legitimate traffic is flagged as malicious

anomaly-based detection

can provide an active response to any network threats that it matches. One typical preventive measure is to end the session by sending a TCP reset packet to the attacking host. Another option is for the sensor to apply a temporary filter on the firewall to block the attacker's IP address (shunning). Other advanced measures include throttling bandwidth to attacking hosts, applying complex firewall filters, and even modifying suspect packets to render them harmless. Finally, the appliance may be able to run a script or third-party program to perform some other action not supported by the ___ software itself. is now very commonly built into firewall appliances and proxy servers

an intrusion prevention system (IPS)

What is the role of the screening firewall in a screened subnet? -To connect directly to the LAN -To filter communications between hosts in the perimeter and the LAN -To restrict traffic on the external/public interface -To provide unrestricted access to the Internet

-To restrict traffic on the external/public interface

What is a perimeter network also known as? -A neutral zone -A triple homed network -screened subnet -A fully public network

-screened subnet

Which IDS traffic assessment indicates that the system identified harmless traffic as offensive and generated an alarm or stopped the traffic? -False positive -Positive -Negative -False negative

-False positive A false positive traffic assessment means that the system identified harmless traffic as offensive and generated an alarm or stopped the traffic. A positive traffic assessment means that the system detected an attack and the appropriate alarms and notifications were generated or the correct actions were performed to prevent or stop the attack. A negative traffic assessment means that the system deemed the traffic harmless and let it pass. A false negative traffic assessment means that harmful traffic passed without any alerts being generated or any actions being taken to prevent or stop it. This is the worst possible scenario.

is used to describe a global network of embedded systems used as or in personal devices, home appliances, home control systems, vehicles, and other items that have been equipped with sensors, software, and network connectivity.

The term internet of things (IoT)

An IoT smart device network will generally use the following types of components:

hub/control system Smart devices

IoT devices usually require a communications hub to facilitate wireless networking. There must also be a control system, as most IoT devices are headless, meaning they have no terminal interface. A headless hub could be implemented as a smart speaker operated by voice control or use a smartphone/PC app for configuration.

Hub/control system

IoT endpoints implement the function, such as a smart light bulb, refrigerator, thermostat/heating control, or doorbell/video entry phone. These devices are capable of compute, storage, and network functions that are all potentially vulnerable to exploits. Most smart devices use a Linux or Android kernel. Because they're effectively running mini-computers, smart devices are vulnerable to some of the standard attacks associated with web applications and network functions. Integrated peripherals such as cameras or microphones could be compromised to facilitate surveillance.

Smart devices

is a network of monitored locks, intruder alarms, and video surveillance cameras.

A physical access control system (PACS)

or smart building for offices and datacenters can include PACS, but also network-based configuration and monitoring of heating, ventilation, and air conditioning (HVAC); fire control; power and lighting; and elevators and escalators.

A building automation system (BAS)

These subsystems are implemented by ____ and various types of sensors that measure temperature, air pressure, humidity, room occupancy, and so on.

programmable logic controllers (PLCs)

provides mechanisms for workflow and process automation. controls machinery used in critical infrastructure, such as power suppliers, water suppliers, health services, telecommunications, and national security services.

An industrial control system (ICS)

An ICS that manages process automation within a single site is usually referred to as a ____

distributed control system (DCS).

system takes the place of a control server in large-scale, multiple-site ICSs. typically run as software on ordinary computers, gathering data from and managing plant devices and equipment with embedded PLCs, referred to as field devices. typically use WAN communications, such as cellular data networks, to link the____ server to field devices.

A supervisory control and data acquisition (SCADA)

A cabled network for industrial systems is referred to as an ___. A communications network designed to implement an industrial control system rather than data networking. typically uses either serial data protocols or industrial Ethernet.

operational technology (OT) network.

enables long-distance communication over the same system that supports mobile phones and smartphones. This is also called baseband radio, after the baseband processor that performs the function of a ___ modem.

A cellular network for IoT

This refers to a low-power version of the Long Term Evolution (LTE) or 4G cellular standard. The signal occupies less bandwidth than regular cellular. This means that data rates are limited (20–100 kbps), but most sensors need to send small packets with low latency, rather than making large data transfers. also has greater penetrating power, making it more suitable for use in inaccessible locations, such as tunnels or deep within buildings, where ordinary cellular connectivity would be impossible.

Narrowband-IoT (NB-IoT)

This is another low-power system but supports higher bandwidth (up to about 1 Mbps).

LTE Machine Type Communication (LTE-M)

What distinguishes smart building technology from consumer-grade IoT devices in terms of security? -Smart building technology is more prone to compromise. -Smart building technology has less scope for compromise -Smart building technology uses Bluetooth exclusively. -Smart building technology cannot be updated.

-Smart building technology has less scope for compromise The correct answer is that smart building technology has less scope for compromise. Properly designed smart building systems have more robust entry mechanisms and control components, making them less susceptible to security compromises compared to consumer-grade devices.

What is a "data historian" in the context of an ICS? -A database generated by the control loop -A backup server for industrial data -A cybersecurity tool for industrial networks -A communication protocol for PLCs

-A database generated by the control loop

is the use of network attributes to identify (or estimate) the physical position of a device. The device uses location services to determine its current position. Location services can make use of two systems: GPS and IPS

Geolocation

This is a means of determining the device's latitude and longitude based on information received from satellites via a ___sensor.

Global Positioning System (GPS)

This works out a device's location by triangulating its proximity to other radio sources, such as cell towers, Wi-Fi access points, and Bluetooth/RFID beacons.

Indoor Positioning System (IPS)

is the practice of creating a virtual boundary based on real-world geography. can be a useful tool with respect to controlling the use of camera or video functions or applying context-aware authentication. Security control that can enforce a virtual boundary based on real-world geography.

Geofencing

What can an organization use geofencing for? -To increase the speed of their internet connection -To monitor the productivity of their employees -To control the use of camera functions on devices -To improve the accuracy of their GPS systems

-To control the use of camera functions on devices

better known as Wi-Fi, define the Physical layer media by which data is encoded into a radio carrier signal using a modulation scheme. The properties of radio waves include amplitude (the height of peaks and troughs), frequency (the number of peaks per unit of time), and phase (the angle of a wave at a point in time).

IEEE 802.11 standards

802.11 uses ______ to cope with contention. when a station receives a frame, it performs error checking. If the frame is intact, the station responds with an acknowledgment (ACK). If the ACK is not received, the transmitting station resends the frame until timing out. 802.11 also defines a virtual carrier sense flow control mechanism to further reduce the incidence of collisions. A station broadcasts a request to send (RTS) with the source and destination and the time required to transmit. The receiving station responds with a clear to send (CTS), and all other stations in range do not attempt to transmit within that period.

carrier sense multiple access with collision avoidance (CSMA/CA)

is better at propagating through solid surfaces, making it ideal for providing the longest signal range. does not support many individual channels and is often congested, both with other Wi-Fi networks and other types of wireless technology, such as Bluetooth®. there is increased risk of interference, and the maximum achievable data rates are typically lower

2.4 GHz band

is less effective at penetrating construction materials or solid furniture and so does not support the maximum ranges. the band supports more individual channels and suffers less from congestion and interference, meaning it supports higher data rates at shorter ranges.

5 GHz

use of the 5 GHz frequency band and a multiplexed carrier scheme called Orthogonal Frequency Division Multiplexing (OFDM). has a nominal data rate of 54 Mbps.

The IEEE 802.11a standard

standard uses the 2.4 GHz frequency band. It standardized the use of the carrier method Direct Sequence Spread Spectrum (DSSS), along with Complementary Code Keying (CCK) signal encoding. While in some ways DSSS was an inferior technology to OFDM—with a nominal data rate of just 11 Mbps

The 802.11b standard

uses OFDM, but in the 2.4 GHz band. devices that could offer backwards support for legacy 802.11b clients. has a nominal data rate of 54 Mbps. compatibility mode, it drops back to using DSSS.

The 802.11g standard

increases bandwidth by multiplexing the signals from two to four separate antennae (a radio chain) using a collection of technologies generally referred to as multiple input multiple output (MIMO). The configuration of an ___radio chain is identified by AxB:C notation, where A is the number of transmit antennae, B is the number of receive antennae, and C is the number of simultaneous transmit and receive streams. The maximum possible is 4x4:4, but common configurations are 2x2:2 or 3x3:2. can use channels in the 2.4 GHz band and the 5 GHz band. also allows two adjacent 20 MHz channels to be combined into a single 40 MHz channel, referred to as channel bonding. The data rate for ___ is 72 Mbps per stream. Assuming the maximum number of four spatial streams and optimum conditions, the nominal data rate could be as high as 600 Mbps for a 40 MHz bonded channel.

The 802.11n standard

Use of multiple reception and transmission antennas to boost wireless bandwidth via spatial multiplexing and to boost range and signal reliability via spatial diversity. by multiplexing the signals from two to four separate antennae (a radio chain) using a collection of technologies generally referred to as

multiple input multiple output (MIMO)

If the same data stream is sent by two or three transmit antennae, the receiver can combine them to derive a stronger signal and increase range at a given data rate. Similarly, multiple receive antennae can derive a stronger signal, even if there is only one transmit stream. This is referred to

as spatial diversity

is designed to work only in the 5 GHz band. It supports more channel bonding (up to 80 or 160 MHz channels), up to eight spatial streams, rather than four, and denser modulation (at close ranges). access points are marketed using AC values, such as AC5300. The 5300 value represents 1,000 Mbps over a 40 MHz channel in the 2.4 GHz band and two 2,167 Mbps streams over 80 MHz channels in the 5 GHz band.

The Wi-Fi 5 (or 802.11ac)

uses advanced modulation and signal encoding to improve the amount of data sent per packet by about 40%. uses the radio spectrum is designated as high efficiency (HE) to reflect these improvements. is to approximate 10G connection speeds (AX11000). For example, AX6000 is nominally 1,148 Mbps on the 2.4 GHz radio and 4,804 over 5 GHz. specifies use of a new 6 GHz frequency band, which is required to achieve the highest data rates.

Wi-Fi 6 (802.11ax)

the OFDM with multiple access (OFDMA) modulation scheme allows sub-carriers or tones to be allocated in groups of different sizes, referred to as _, , each of which can communicate in parallel.

resource units (RUs)

In basic 802.11 operation modes, bandwidth is shared between all stations because of the CSMA/CA contention protocol. An AP can communicate with only one station at a time; multiple station requests go into a queue. Wi-Fi 5 and Wi-Fi 6 products address this problem using beamforming or ___. Use of spatial multiplexing to allow a wireless access point to support multiple client stations simultaneously.

Multiuser MIMO (MU-MIMO).

allows the AP to use its multiple antennae to process a spatial stream of signals in one direction separately from other streams. This means that groups of stations on a different alignment can connect simultaneously and also obtain more bandwidth.

Downlink MU-MIMO (DL MU-MIMO)

allows an access point to make it more likely that a client will connect to the 5 GHz or 6 GHz band than the 2.4 Ghz band. It does this by reducing the number of beacons used to advertise the 2.4 GHz network. The goal is to restrict the use of the 2.4 GHz band to devices with no 5/6 GHz capability.

. Band steering

is operated by telecommunications providers. establishes a connection with the nearest available cell or base station. Each base station has an effective range of up to 5 miles (8 km). The base station links the device to global telecommunications networks.

cellular radio

has a maximum downlink of 150 Mbps in theory, but around 20 Mbps is typical of real-world performance.

The Long Term Evolution (LTE) 4G standard

specifies a 300 Mbps downlink, but this aspiration is not matched by real-world performance. The current typical performance for ___ is up to 90 Mbps.

LTE Advanced (LTE-A)

can use a broader radio spectrum, from low (sub-1 GHz) to medium/high (6 GHz to 40 GHz). involves installing hundreds of smaller antennae to form an array that can take advantage of multipath and beamforming to overcome the propagation limitations of the spectrum. This is also referred to as massive MIMO. has a maximum peak rate of 20 Gbps. , ranging from about 50 Mbps to 300 Mbps at time of writing.

such as 900 MHz or 1,900 MHz, have greater range and penetrating power.

Low bands

also referred to as millimeter wave (mmWave), require close range (a few hundred feet) and cannot penetrate walls or windows.

High bands

systems use microwave dishes aligned to orbital satellites that can either relay signals between sites directly or via another satellite.

Satellite

One drawback of this is increased latency. The signal must travel over thousands of miles more than terrestrial connections, introducing a delay of many times what might be expected over a land link. the ISP installs a very small aperture terminal (VSAT) satellite dish antenna at the customer's premises and aligns it with the orbital satellite. Because the satellite does not move relative to the dish, there should be no need for any realignment. The antenna is connected via coaxial cabling to a digital video broadcast satellite (DVB-S) modem. The transfer rates available vary between providers and access packages, but 2 or 6 Mbps up and 30 Mbps down would be typical.

Geostationary Orbital Satellite Internet Access

uses an array of satellites positioned in ___. support better bandwidth (around 70–100 Mbps at the time of writing) and are lower latency (100–200 ms RTT). The drawback is that the satellites move relative to the surface of Earth. The customer's premises antenna must be provisioned with a motor so that it can periodically realign with the array. The dish construction uses a technology called phased array to connect to different satellites as they pass overhead and minimize the amount of mechanical realignment required. The antenna must have a clear view of the whole sky.

Low Earth Orbital Satellite Internet Access

Satellites are also used to implement the ______. allows a device with a suitable sensor to triangulate its position using signals from orbital satellites. As this triangulation process can be slow, most smartphones and laptops use ___ to obtain coordinates from the nearest cell tower and adjust for the device's position relative to the tower.

Global Positioning System (GPS); Assisted GPS (A-GPS) (uses cellular data.)

What is the function of the Request to Send (RTS) and Clear To Send (CTS) mechanism in IEEE 802.11 networks? -To encrypt data transmissions -To assign IP addresses to devices -To further reduce the incidence of collisions -To increase the transmission speed

-To further reduce the incidence of collisions The Request to Send (RTS) and Clear To Send (CTS) mechanism in IEEE 802.11 networks is used to further reduce the incidence of collisions. By broadcasting an RTS with the source, destination, and time required to transmit, and receiving a CTS in response, other stations are informed not to transmit during that period, thus minimizing the chance of collisions.

What is the primary purpose of the IEEE 802.11 standards? -To define the protocols for wired networking -To establish security standards for the Internet -To define the physical layer media for wireless LANs -To regulate the manufacturing of wireless devices

-To define the physical layer media for wireless LANs

What is the effect of operating in High Throughput (HT)/greenfield mode? -It increases compatibility with older standards. -It maximizes performance. -It reduces overall WLAN performance. -It increases the number of available channels.

-It maximizes performance. High Throughput (HT)/greenfield mode is designed to maximize performance by not transmitting legacy identification and collision avoidance frames. This mode is used when all devices on the network support 802.11n, allowing for the most efficient use of the available bandwidth.

What additional feature does the IEEE 802.11h standard introduce to the 5 GHz band? -Increased data rates -Dynamic Frequency Selection (DFS) -Enhanced encryption -Reduced channel width

-Dynamic Frequency Selection (DFS) The IEEE 802.11h standard introduces Dynamic Frequency Selection (DFS) to the 5 GHz band. DFS is a feature designed to prevent interference with radar and satellite signals by automatically selecting frequency channels that are not being used by those services. This addition helps to ensure that Wi-Fi networks operating in the 5 GHz band do not interfere with critical radar operations.

You are a network administrator tasked with setting up a Wi-Fi network in a large office building. The building has multiple floors with thick concrete walls and several electronic devices that could cause interference. Your primary goal is to ensure high data rates and minimal interference for the office's Wi-Fi network. Given this scenario, which frequency band and configuration would be the most appropriate for your Wi-Fi network? -Use the 2.4 GHz band because it has better penetration through solid surfaces. -Use the 5 GHz band because it supports higher data rates and has more individual channels. -Use the 2.4 GHz band because it is less congested and supports more individual channels. -Use the 5 GHz band but limit the power output to comply with regulatory constraints.

-Use the 5 GHz band because it supports higher data rates and has more individual channels.

What is the effective range of a cellular base station? -Up to 1 mile (1.6 km) -Up to 2 miles (3.2 km) -Up to 5 miles (8 km) -Up to 10 miles (16 km)

-Up to 5 miles (8 km)

means that each station is configured to connect to the WLAN via an access point (AP). This makes a logical star topology.

An infrastructure topology

Each client station requires a wireless adapter compatible with the standard(s) supported by the AP. The AP mediates communications between client devices using a specific frequency and channel. In 802.11 documentation, this arrangement is referred to as an infrastructure ___.

Basic Service Set (BSS).

A virtual MAC address derived from one of the AP's radios is used as the ______. The ___ identifies the access point hosting a BSS.

Basic Service Set Identifier (BSSID)

As well as facilitating communications between stations, an access point can provide a bridge to a cabled network segment. The cabled network is referred to as a __. On an enterprise WLAN, each access point is cabled to a switch. The _ can be used to network multiple access points.

distribution system (DS)

Multiple APs connected to the same distribution system can host an ______. Network name configured on multiple access points to form an extended service area. is a group of basic service sets that are all configured with the same SSID and security information.

Extended Service Set (ESS). When deployed like this, the network name is more properly called an Extended SSID (ESSID). An ESSID has the same format as an SSID.

device supporting the Wi-Fi standard should have an indoor range of at least ____

30 m (100 feet).

Each station uses the _____ mechanism to determine an appropriate data rate based on the signal quality. If the signal is strong, the station will select the highest available data rate (determined by support for a given iteration of the 802.11 standard); if the signal is weak, the station will reduce the data rate.

Dynamic Rate Switching/Selection (DRS)

Signal strength is represented as the ratio of a measurement to 1 milliwatt (mw), where 1 mW is equal to 0 dBm. dB and dBm units can be combined to analyze losses and gains in signal strength along a communications path.

For example, if you transmit a radio signal at 1 mW and use an antenna to boost the signal, the effective power is: 0 dBm + 3 dB = 2 mW = ~3 dBm Because 0 dBm is 1 mW, a negative value for dBm represents a fraction of a milliwatt. For example, -30 dBm is 0.001 mW; -60 dBm is 0.000001 mW.

is the strength of the signal from the transmitter as measured at the client end. When measuring ___ dBm will be a negative value with values closer to zero representing better performance. -30 dBm is considered to be a perfect signal. A value around -65 dBm represents a good signal, while anything worse than -80 dBm is likely to suffer packet loss or be dropped. The ___ must exceed the minimum receiver sensitivity.

The Received Signal Strength Indicator (RSSI)

The comparative strength of the data signal to the background noise is called the___ . Noise is also measured in dBm, but here values closer to zero are less welcome as they represent higher noise levels.

signal-to-noise ratio (SNR)

is a critical planning tool to ensure that the WLAN delivers acceptable data rates to the supported number of devices in all the physical locations expected. Documentation about a location for the purposes of building an ideal wireless infrastructure; it often contains optimum locations for wireless antenna and access point placement to provide the required coverage for clients and identify sources of interference.

A wireless survey

The area served by a single AP is referred to as a ___

basic service area (BSA).

The area where stations can roam between access points to stay connected to the same ESSID is an ___

extended service area (ESA)

You can also configure access points to create wireless-only networks in areas where it is not possible to run cabling. This is referred to as a ____. You must set the APs to use the same channel, SSID, and security parameters. The APs are configured in WDS/repeater mode. One AP is configured as a base station, while the others are configured as remote stations. The base station can be connected to a cabled segment. The remote stations must not be connected to cabled segments. The remote stations can accept connections from client stations and forward all traffic to the base station.

wireless distribution system (WDS).

Rather than configure each device individually, enterprise wireless solutions allow for centralized management and monitoring of the APs on the network. This is typically achieved through the use of a dedicated hardware device called a ____. Device that provides wireless LAN management for multiple APs.

wireless controller.

An AP whose firmware contains enough processing logic to be able to handle clients without the use of a wireless controller is known as an _______. Access point whose firmware contains enough processing logic to be able to function autonomously and handle clients without the use of a wireless controller.

autonomous AP

while one that requires a wireless controller to function is a _______ . Access point that requires a wireless controller in order to function.

lightweight AP

Cisco wireless controllers usually communicate with the APs using the ____. allows an AP configured to work in lightweight mode to download an appropriate SSID, standards mode, channel, and security configuration.

Lightweight Access Point Protocol (LWAPP). Alternatives to LWAPP include the derivative Control And Provisioning of Wireless Access Points (CAPWAP) protocol or a proprietary protocol.

determines the propagation pattern or shape of the radio waves transmitted. Specially arranged metal wires that can send and receive radio signals, typically implemented as either an omnidirectional or a unidirectional type.

The antenna type

receives and sends signals in all directions more or less equally. Access points with ____should ideally be ceiling mounted for best coverage. The propagation pattern is shaped like a torus (donut), rather than a sphere, and radiates more powerfully in the horizontal plane than it does in the vertical plane.

An omnidirectional antenna

To extend the signal to a particular area, you can use a _______ focused in a single direction. Both the sender and receiver must use directional antennae, or one will be able to receive signals but not send responses. types include the Yagi (a bar with fins) and parabolic (dish or grid) form factors. are useful for point to point wireless bridge connections.

unidirectional antenna

The increase in signal strength obtained by focusing the signal is referred to as

the gain and is measured in dBi (decibel isotropic).

The amount of directionality, referred to as the beamwidth, is measured in

degrees.

refers to the orientation of the wave propagating from the antenna. If you imagine a rod-type antenna, when the rod is pointed up relative to the floor, the wave is vertically ____ ; if you orient the rod parallel to the floor, the wave is horizontally ___ . To maximize signal strength, the transmission and reception antennae should normally use the same ___ .

polarization

meaning that they can be installed in either orientation. are also the best way to support mobile devices, as these can be held by their user in a variety of orientations.

Some antennae are dual-polarized

In an ad hoc topology, the wireless adapter allows connections to and from other devices. In 802.11 documentation, this is referred to as an ____. A type of wireless network where connected devices communicate directly with each other instead of over an established medium. This topology does not require an access point. All the stations within an ad hoc network must be within range of one another. An ad hoc network might suit a small workgroup of devices, or connectivity to a single device, such as a shared printer, but it is not scalable to large network implementations.

Independent Basic Service Set (IBSS).

defines a wireless mesh network (WMN).

The 802.11s standard

Wireless network topology where all nodes—including client stations—are capable of providing forwarding and path discovery. This improves coverage and throughput compared to using just fixed access points and extenders. nodes in a WMN are capable of discovering one another and peering, forming a Mesh Basic Service Set (MBSS).

a wireless mesh network (WMN)

The mesh stations can perform path discovery and forwarding between peers using a routing protocol, such as the

Hybrid Wireless Mesh Protocol (HWMP).

means a physical and logical connection between two devices. is usually used as a means of bridging two locations when it is not possible to connect them using cables.

A point-to-point link

What advantage does automated VLAN pooling provide in a wireless network? -Increases the signal strength of access points -Reduces the cost of deploying access points -Reduces excessive broadcast traffic -Enhances the physical security of the network infrastructure

-Reduces excessive broadcast traffic Automated VLAN pooling, facilitated by a wireless controller, ensures that the total number of stations per VLAN is kept within specified limits. This helps in reducing excessive broadcast traffic, which can otherwise degrade network performance. By efficiently managing client assignments to VLANs, the network remains optimized for performance.

Which network type is most commonly used in Wi-Fi setups? -Ad-hoc network -Infrastructure network -Mesh network -Peer-to-peer network

-Infrastructure network The infrastructure network type is the most common Wi-Fi setup, where devices connect through an access point. This setup provides a centralized point for data transmission and allows for greater range and connectivity options compared to other types. Ad-hoc networks are direct connections between devices without an intermediary access point, less common for general Wi-Fi use. Mesh networks involve multiple nodes that communicate with each other to spread a network over a large area, not the most common setup for individual Wi-Fi networks. Peer-to-peer networks involve two devices directly communicating without an intermediary, not the standard for Wi-Fi networks.

What is the role of a beacon frame in a WLAN? -To encrypt data transmissions between the AP and client devices -To advertise the WLAN -To directly connect client devices to the Internet -To suppress the SSID broadcast

-To advertise the WLAN Beacon frames are special management frames broadcast by the AP to advertise the WLAN's presence. They contain information such as the SSID/ESSID, BSSID, supported data rates, signaling, and encryption/authentication requirements, making it easier for client devices to discover and connect to the network.

Which of the following best represents a good signal strength? - -30 dBm - -50 dBm - -65 dBm - -80 dBm

- -65 dBm

What does the beamwidth of an antenna indicate? -The power of the transmitted signal -The frequency of the transmitted signal -The amount of electrical resistance -The amount of directionality

-The amount of directionality The beamwidth of an antenna indicates the amount of directionality and is measured in degrees. A smaller beamwidth means the antenna is more directional, requiring more precise alignment.

determines the cryptographic protocols that are supported, the means of generating the encryption key, and available methods for authenticating wireless stations when they try to associate with the network.

Wi-Fi Encryption Standards

was designed to fix critical vulnerabilities in the earlier wired equivalent privacy (WEP) standard. version 1 of ___ uses the RC4 stream cipher to encrypt traffic but adds a mechanism called the Temporal Key Integrity Protocol (TKIP) to try to mitigate the various attacks against WEP that had been developed.

The first version of Wi-Fi Protected Access (WPA)

uses the Advanced Encryption Standard (AES) cipher deployed within the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). AES replaces RC4, and CCMP replaces TKIP. CCMP provides authenticated encryption, which is designed to make replay attacks harder.

WPA2

WPA2 uses a four-way handshake to allow a station to authenticate its credential, exchange a key to use for data encryption, and establish an association with an access point. This four-way handshake mechanism is vulnerable to manipulations that allow a threat actor to recover the key. WPA3 replaces the four-way handshake with the more secure ___ mechanism.

Simultaneous Authentication of Equals (SAE)

replaces AES CCMP with the stronger AES Galois Counter Mode Protocol (GCMP) mode of operation.

WPA3

are used for association and authentication and for disassociation and deauthentication messages as devices join and leave the network. These frames can be spoofed and misused in various ways under WPA and WPA2. WPA3 mandates use of encryption for these frames to protect against key recovery attacks and DoS attacks that force stations to disconnect.

Protected management frames

An open Wi-Fi network is one with no passphrase. Any station can join the network. In WPA2, this also means that all traffic is unencrypted. WPA3 encrypts this traffic. This means that any station can still join the network, but traffic is protected against sniffing.

Wi-Fi Enhanced Open

authentication uses a passphrase to generate the key that is used to encrypt communications. It is also referred to as group authentication because a group of users shares the same secret. A wireless network authentication mode where a passphrase-based mechanism is used to allow group authentication to a wireless network. The passphrase is used to derive an encryption key.

pre-shared key (PSK)

When the access point is set to WPA2-PSK mode, the administrator configures a passphrase of between eight and 63 characters. This is converted to a type of hash value, referred to as the

pairwise master key (PMK).

still uses a passphrase to authenticate stations in personal mode, it changes the method by which this secret is used to agree session keys. The scheme used is also referred to as Password Authenticated Key Exchange (PAKE). In ___ , the Simultaneous Authentication of Equals (SAE) protocol replaces the four-way handshake.

WPA3

implements IEEE 802.1X to use an Extensible Authentication Protocol (EAP) mechanism to authenticate against a network directory. 802.1X defines the use of EAP over Wireless (EAPoW) to allow an access point to forward authentication data without allowing any other type of network access.

WPA’s enterprise authentication

With enterprise authentication, when a wireless client requests an association, the AP enables the channel for EAPoW traffic only. In this context, the wireless client is referred to as the

supplicant device.

means that the client is not required to authenticate. With WPA2, this also means that data sent over the link is unencrypted. WPA3 uses the ___ mechanism to encrypt open authentication traffic. Wireless network authentication mode where guest (unauthenticated) access is permitted.

Configuring an access point for open authentication; Wi-Fi Enhanced Open

would be used on a public AP or "hotspot" or on a private network to facilitate guest connections

Open authentication

is one that has been installed on the network without authorization, whether with malicious intent or not. Wireless access point that has been enabled on the network without authorization.

A rogue access point

This sends a stream of spoofed management frames to cause a client to deauthenticate from an AP. This might allow the attacker to interpose the evil twin, sniff information about the authentication process, or perform a denial of service (DoS) attack against the wireless infrastructure. The attacks can be mitigated if the wireless infrastructure supports Management Frame Protection (MFP/802.11w). Both the AP and clients must be configured to support MFP.

deauthentication attack

What protocol does WPA introduce to mitigate attacks against WEP? -AES -CCMP -TKIP -GCMP

-TKIP The Temporal Key Integrity Protocol (TKIP) was introduced with WPA as a stopgap solution to mitigate the vulnerabilities found in WEP, without requiring new hardware. TKIP included features like key mixing and a sequence counter to prevent replay attacks

or free space path loss is the degradation of a signal as the distance between a radio transmitter and receiver increases. The strength of the signal decreases per the inverse-square rule. Loss of signal strength due to distance and environmental factors. Also referred to as free space path loss.

Radio frequency (RF) attenuation

refers to spots within a building with no or weak Wi-Fi signal.

Insufficient wireless coverage

could cause or exacerbate attenuation and interference problems.

Incorrect antenna placement

Signal loss along this cable is referred to as___. Signal loss caused by an external antenna connected to an access point over cabling.

antenna cable attenuation.

calculated as the sum of transmit power, antenna cable/connector loss, and antenna gain. Signal strength from a transmitter, measured as the sum of transmit power, antenna cable/connector loss, and antenna gain.

Effective Isotropic Radiated Power (EIRP)

Each Wi-Fi channel is a collision domain. Where multiple devices use the same channel, there is contention. The wireless devices must use CSMA/CA to find opportunities to transmit. CCI can be measured as a channel utilization percentage. Channel utilization can be measured from the access point or by using a Wi-Fi analyzer. As a design goal, a channel should exhibit no more than 50% utilization.

Co-channel interference (CCI)

This occurs when access points are configured to use different but overlapping channels, such as 1 and 3 in the 2.4 GHz band. ACI slows down the CSMA/CA process and raises noise levels.

Adjacent channel interference (ACI)

Mirrors or shiny surfaces cause signals to reflect, meaning that a variable delay is introduced. This causes packets to be lost and consequently the data rate to drop.

Reflection/bounce (multipath interference)

Glass or water can cause radio waves to bend and take a different path to the receiver. This can also cause the data rate to drop.

Refraction

This refers to the degree to which walls, windows, and people will reduce signal strength (some of the radio wave's energy is lost as heat when passing through construction materials or human bodies). An internal wall might "cost" 3 to 15 dB, depending on the material used (concrete being the most effective absorber). The 2.4 GHz frequency has better penetration than the 5 GHz one, given the same power output. To minimize absorption from office furniture (and people), use ceiling-mounted APs.

Absorption

Interference from a powerful radio or electromagnetic source working in the same frequency band, such as a Bluetooth device, cordless phone, or microwave oven.

Electromagnetic interference (EMI)

Device that can detect the source of interference on a wireless network. EMI can be detected by using a __. must use a special radio receiver—Wi-Fi adapters filter out anything that isn't a Wi-Fi signal. They are usually supplied as handheld units with a directional antenna, so that the exact location of the interference can be pinpointed. A 6 dB change in the level of a particular source represents a halving or doubling of the distance between the analyzer and the RF source.

a spectrum analyzer

The main issues with roaming are the following:

Sticky clients that do not identify signal issues and do not reassociate with a different AP that could provide a better connection. Flapping clients that switch repeatedly between access points. Clients that do not support roaming standards (802.11k, 802.11r, and 802.11v) and so experience service interruptions due to having to reauthenticate or associate too slowly with the new AP. 802.11r assists with reauthentication, support for 802.11k can mitigate sticky and flapping client issues, as it transmits information about the wireless topology to the client, and 802.11v can "push" a client toward a less congested access point. Inconsistent service areas for 2.4 GHz and 5 GHz. 2.4 GHz supports longer ranges than 5 GHz, and this can cause it to "attract" more clients. Typically, a 2.4 GHz BSS is configured with a lower transmit power than the equivalent 5 GHz BSS.

The client or access point can use ____and/or deauthentication frames to notify the other party that it has ended a connection. A legitimate client might ___ but not deauthenticate because it is roaming between access points in an extended service area. A client might "flap" between two access points, causing numerous ___ and reassociations. Investigate the access point or controller event log to identify the cause of ___.

disassociation

exploits the lack of encryption in management frame traffic to send spoofed frames.

A disassociation attack

occurs when too many client devices connect to the same AP. The maximum number of clients that an AP can support varies, depending on the Wi-Fi standard used and the type of network traffic generated.

Overcapacity (or device saturation)

What is the recommended AP power setting relative to the weakest client power? -Equal to the weakest client power -Twice the weakest client power -Half of the weakest client power -2/3rds of the weakest client power

-2/3rds of the weakest client power

What is the inverse-square rule in the context of wireless signals? -Doubling the distance between devices quadruples the signal strength -Doubling the distance between devices halves the signal strength -Doubling the distance between devices reduces the signal strength by a factor of four -Doubling the distance between devices doubles the signal strength

-Doubling the distance between devices reduces the signal strength by a factor of four The inverse-square rule is a physical principle that explains how signal strength diminishes with distance. Specifically, if the distance between a transmitter and receiver is doubled, the signal strength is reduced by a factor of four, highlighting the rapid decrease in signal strength with increased distance.

What type of interference occurs when access points are configured to use overlapping channels, such as channels 1 and 3 in the 2.4 GHz band? -Co-channel interference -Adjacent channel interference -Direct sequence interference -Frequency modulation interference

-Adjacent channel interference

In a complex environment, why might it be necessary to adjust the power level used by an access point on a given channel? (Select two.) -To ensure clients can communicate effectively -To ensure the access point can interfere with other cells -To decrease the security level of the network -To prevent the access point from interfering with other cells -To increase the number of devices that can connect to the access point

-To ensure clients can communicate effectively -To prevent the access point from interfering with other cells

What is a common method to dynamically manage network load and reduce overutilization in a wireless network facing overcapacity issues? -Increasing the AP's transmit power -Reassigning wireless channels dynamically -Deploying additional DHCP servers -Reducing the encryption level of the network

-Reassigning wireless channels dynamically

is used to describe a WAN that is used and controlled by a single organization.

"enterprise WAN"

performs modulation of outgoing signals and demodulation of incoming data, working only at the Physical layer of the OSI model. Where the provider link is a copper cable, some type of ______ is usually used, rather than a switch.

modem

means transforming an electromagnetic wave to represent information, such as using the amplitude (height) of the wave to represent bits.

Modulation

Establishing a WAN provider link means terminating the access provider's cabling at some point in your premises, and then attaching modem and routing equipment to that line. The service-related entry point at which the access provider's network terminates is called the

demarcation point (or demarc for short) or minimum point of entry (MPOE).

Modems and routers or other access equipment that are provided or leased by the customer and installed at their site are referred to as

customer premises equipment (CPE)

enabled voice traffic to be digitized for transport around the core of the telecommunications network. It also enabled other types of digital data to be transported and could be provisioned directly to subscribers as a leased line. is based on time division multiplexing (TDM).

The T-carrier system

The protocol assigns each circuit (or channel) a time slot. Each 64 Kbps channel provides enough bandwidth for a digitized voice call.

time division multiplexing (TDM).

typically use either High-Level Data Link Control (HDLC) or Point-to-Point Protocol (PPP).

At the Data Link layer, T1 leased lines

is a technology for transferring data over voice-grade telephone lines, often referred to as the local loop. modem is installed as CPE, typically as a multifunction “wireless router,” where the RJ11 WAN port connects to the provider’s phone jack. modems can also be supplied as separate appliances or plug-in cards for routers. A filter (splitter) must be installed on each phone point to prevent noise from affecting either voice calls or the D___ link.

Digital subscriber line (DSL)

provides a fast downlink but a slow uplink. offering downlink rates up to about 24 Mbps and uplink rates of 1.25 Mbps or 2.5 Mbps.

Asymmetrical DSL (ADSL)

offer the same uplink and downlink speeds. These are of more use to businesses and for branch office links, where more data is transferred upstream than with normal Internet use.

Symmetric versions of DSL

is usually available along with Cable Access TV (CATV). These networks are sometimes described as hybrid fiber coax (HFC) because they combine a fiber optic core network with coax links to CPE, but are more simply just described as cable broadband.

A cable Internet connection

solution retains some sort of copper wiring to the customer premises while extending the fiber link from the point of presence to a communications cabinet servicing multiple subscribers.

A fiber to the curb (FTTC)

The service providers with their roots in telephone networks use ____ to support FTTC. achieves higher bit rates than other DSL types at the expense of range. It allows for both symmetric and asymmetric modes. Over 300 m (1,000 feet), an asymmetric link supports 52 Mbps downstream and 6 Mbps upstream, while a symmetric link supports 26 Mbps in both directions. _____ specifies a very short range (100 m/300 feet) rate of 100 Mbps (bidirectional).

very high-speed DSL (VDSL); VDSL2

Internet connection means that the service provider’s fiber optic cable is run all the way to the customer’s building. This full fiber connection type is implemented as a passive optical network (PON).

A fiber to the premises (FTTP)

a single fiber cable is run from the point of presence to an optical line terminal (OLT) located in a street cabinet. From the OLT, splitters direct each subscriber’s traffic over a shorter length of fiber to an optical network terminal (ONT) installed at the customer’s premises. The ONT converts the optical signal to an electrical one. The ONT is connected to the customer’s router using an RJ45 Ethernet patch cord.

passive optical network (PON)

What is the primary function of a T-carrier system? -To provide wireless connectivity -To enable voice traffic digitization -To encrypt data transmissions -To serve as a backup system for internet connections

-To enable voice traffic digitization The T-carrier system was designed to digitize voice traffic for transport around the core of the telecommunications network. It also supports the transportation of other types of digital data and can be provisioned directly to subscribers as a leased line.

How is the ONT connected to the customer's router in FTTP? -Using a coaxial cable -Using an RJ45 Ethernet patch cord -Using a USB cable -Using a fiber optic cable

-Using an RJ45 Ethernet patch cord

means that the user's device does not make a direct cabled or wireless connection to the network. The connection occurs over or through an intermediate network, usually a public WAN. These days, most ___ is implemented as a virtual private network (VPN), running over the Internet.

Remote network access

is where the hosts are on the same logical network but connected via different physical networks. encapsulates the packet for the local network within a public network packet. Typically, the local network packet is encrypted. When the packet is delivered, the remote access server strips the public packet headers, extracts and decrypts the local packet, and forwards it over the local network.

Tunneling

is an encapsulation protocol that works at the Data Link layer (layer 2). is used to encapsulate IP packets for transmission over serial digital lines. has no security mechanisms, so must be used with other protocols to provision a secure tunnel. Dial-up protocol working at layer 2 (Data Link) used to connect devices remotely to networks.

The Point-to-Point Protocol (PPP)

Tunneling protocol allowing the transmission of encapsulated frames or packets from different types of network protocol over an IP network. works at layer 3. can itself encapsulate an IP packet (or most other Network layer protocol types) as its payload. The "outer"___ packet is assigned protocol number 47 and has its own IP source and header address fields. The___ packet is then itself encapsulated in a layer 2 frame for transmission to the next hop router. Each intermediate router inspects only the outer ___ header to determine the forwarding destination. At the final destination, the receiving router de-encapsulates the ___ packet to extract the inner IP payload and forwards that inner packet to its destination. ___ does not have any mechanisms for authenticating users or devices and so is often used with other protocols in a VPN solution.

Generic Routing Encapsulation (GRE)

also operates at the Network layer of the OSI model to authenticate hosts and encrypt packets. is used with other protocols to provide connection security, and it is increasingly used as a standalone VPN protocol.

Internet Protocol Security (IPSec)

can be used to encapsulate frames or IP packets. The main drawback is that as ___ already operates at the Session layer, the headers from the inner and outer packets add up to a significant overhead.

Transport Layer Security (TLS) over TCP or datagram TLS (DTLS) over UDP

can be used to secure IPv4 and/or IPv6 communications on local networks and as a remote access VPN protocol. operates at the Network layer of the OSI model (layer 3). This means that it can be implemented without having to configure specific application support and that it incurs less packet overhead. Network protocol suite used to secure data through authentication and encryption as the data travels across the network or the Internet.

Internet Protocol Security (IPSec)

Performs a cryptographic hash on the whole packet, including the IP header, plus a shared secret key (known only to the communicating hosts), and adds this value in its header as an Integrity Check Value (ICV). The recipient performs the same function on the packet and key and should derive the same value to confirm that the packet has not been modified. The payload is not encrypted so this protocol does not provide confidentiality.

Authentication Header (AH)

Can be used to encrypt the payload rather than simply calculating an ICV. ESP attaches three fields to the packet: a header, a trailer (providing padding for the cryptographic function), and an Integrity Check Value. Unlike AH, ESP excludes the IP header when calculating the ICV.

Encapsulating Security Payload (ESP)

IPSec can be used in two modes:

Transport mode or Tunnel mode

This mode is used to secure communications between hosts on a private network (an end-to-end implementation). When ESP is applied in transport mode, the IP header for each packet is not encrypted, just the payload data. If AH is used in ____ mode, it can provide integrity for the IP header.

Transport mode

This mode is used for communications between VPN gateways across an insecure network (creating a VPN). This is also referred to as a router implementation. With ESP, the whole IP packet (header and payload) is encrypted and encapsulated as a datagram with a new IP header. AH has no real use case in ___ mode, as confidentiality will usually be required.

Tunnel mode

sets the authentication mechanism and also the use of AH/ESP and transport or tunnel mode for a connection between two peers.

An IPSec policy

implements an authentication method, selects which cryptographic ciphers are mutually supported by both peers, and performs key exchange. The set of properties is referred to as a security association (SA). Framework for creating a security association (SA) used with IPSec. An SA establishes that two hosts trust one another (authenticate) and agree on secure protocols and cipher suites to use to exchange data.

The Internet Key Exchange (IKE) protocol

establishes the identity of the two peers and performs key agreement using the Diffie-Hellman algorithm to create a secure channel. Two methods of authenticating peers are commonly used: Digital certificates —are issued to each peer by a mutually trusted certificate authority to identify one another. Pre-shared key (group authentication) —is when the same passphrase is configured on both peers.

Phase I

uses the secure channel created in Phase I to establish which ciphers and key sizes will be used with AH and/or ESP in the IPSec session.

Phase II

was designed for site-to-site and host-to-host topologies and requires a supporting protocol to implement remote access VPNs.

IKEv1

has some additional features that have made the protocol popular for use as a stand-alone remote access client-to-site VPN solution. The main changes are the following: Supports EAP authentication methods, allowing, for example, user authentication against a RADIUS server. Provides a simple setup mode that reduces bandwidth without compromising security. Allows network address translation (NAT) traversal and MOBIKE multihoming. NAT traversal makes it easier to configure a tunnel allowed by a home router/firewall. Multihoming means that a smartphone client with Wi-Fi and cellular interfaces can keep the IPSec connection alive when switching between them.

IKEv2

the VPN client connects over the public network to a VPN gateway (a VPN-enabled router) positioned on the edge of the local network (typically the VPN access server will be in a screened subnet). is the "telecommuter" model, allowing homeworkers and employees working in the field to connect to the corporate network. can be configured using a number of protocols.

In a client-to-site or remote access topology

The client accesses the Internet directly using its ISP-manged IP configuration, routers, and DNS servers. VPN configuration where only traffic for the private network is routed via the VPN gateway.

Split tunnel

Internet access is mediated by the corporate network, which will alter the client's IP address and DNS servers and may use a proxy. VPN configuration where all traffic is routed via the VPN gateway. offers better security, but the network address translations and DNS operations required may cause problems with some websites, especially cloud services. It also means more data is channeled over the link, and the connection can exhibit higher latency.

Full tunnel

Using features of HTML5 to implement remote desktop/VPN connections via browser software (clientless). Also called clientless VPN.

HTML5 VPN or clientless VPN

is configured to operate automatically. The gateways exchange security information using whichever protocol the VPN is based on. This establishes a trust relationship between the gateways and sets up a secure connection through which to tunnel data. Hosts at each site do not need to be configured with any information about the VPN. The routing infrastructure at each site determines whether to deliver traffic locally or send it over the VPN tunnel.

a site-to-site VPN

The routing infrastructure at each site determines whether to deliver traffic locally or send it over the VPN tunnel. This is also referred to as ____. can be in place permanently (static), or they can be put in place based on the data or client type (dynamic).

Compulsory tunnels

Which protocol is often used with other protocols to provision a secure tunnel due to its lack of inherent security mechanisms? IPSec TLS PPP GRE

PPP PPP lacks inherent security mechanisms, such as encryption or authentication, making it necessary to use it in conjunction with other protocols to create a secure tunnel for data transmission. IPSec itself provides robust security mechanisms for authentication and encryption. TLS provides secure communication for applications over the Internet. While GRE does not provide encryption or authentication, PPP is more commonly noted for its need to be combined with security protocols due to its lack of inherent security.

hich protocol is known for operating at the Network layer of the OSI model to authenticate hosts and encrypt packets? PPP GRE IPSec TLS

IPSec IPSec operates at the Network layer (Layer 3) and is designed to secure IP communications through authenticating and encrypting each IP packet in a data stream. IPSec is widely used in VPNs for securing Internet communication. PPP operates at the Data Link layer and does not inherently encrypt or authenticate packets. GRE operates at the Network layer but does not provide authentication or encryption. TLS operates at a higher layer, the Session layer, and is not designed to work at the Network layer like IPsec.

How do gateways in a Site-to-Site VPN establish a secure connection? -By using a shared password -By exchanging security information -By using a public Wi-Fi network -By sending a verification email

-By exchanging security information

What makes TACACS+ different from RADIUS? -TACACS+ uses UDP for communication. -TACACS+ combines AAA in a single process. -TACACS+ is less secure than RADIUS. -TACACS+ separates AAA functions.

-TACACS+ separates AAA functions.

You often travel away from the office. While traveling, you would like to use a modem on your laptop computer to connect directly to a server in your office to access needed files. You want the connection to be as secure as possible. Which type of connection do you need? -Remote access -Internet -Virtual private network -Intranet

-Remote access Remote access is the correct answer because it specifically refers to the ability to access a computer or a network from a remote location. In the context of the question, using a modem to connect directly to a server in the office for accessing files aligns with the definition of remote access. This type of connection can be secured through various means, such as using secure authentication methods and encryption, to ensure that the data transmitted between the laptop and the office server remains confidential and protected from unauthorized access.

What is a key feature of clientless VPNs that distinguishes them from traditional remote desktop products and client-to-site VPNs? -They require a client app to operate. -They cannot handle audio. -They allow connection through a browser. -They use separate HTTP requests for communication.

-They allow connection through a browser.

Which mode of IPSec is used for communications between VPN gateways across an unsecure network? -Transport mode -Tunnel mode -Gateway mode -VPN mod

-Tunnel mode Tunnel mode is used for securing communications between VPN gateways across an unsecure network by encrypting the entire IP packet and encapsulating it with a new IP header.

What does the Encapsulating Security Payload (ESP) protocol provide? -Encryption of the IP header only -Encryption of the payload only -Encryption of the whole packet -Encryption of the payload and optional authentication

-Encryption of the payload and optional authentication

In the context of IPSec and IPv6, how are additional security features implemented within the packet structure? -Through the use of extension headers -By modifying the payload data -With a special encryption algorithm -Via the primary IPv6 header

-Through the use of extension headers

Which feature of IKEv2 facilitates the use of a VPN through a home router/firewall? -MOBIKE multihoming -EAP authentication methods -NAT traversal -Simple setup mode

-NAT traversal NAT traversal is a feature of IKEv2 that makes it easier to configure a tunnel allowed by a home router/firewall. This feature is crucial for ensuring that VPN connections can be established and maintained even when network address translation is being used, which is common in home networks.

Which protocol is used in conjunction with IPSec to provide added security? -SSTP -L2TP -PPTP -EAP

-L2TP The Layer 2 Tunneling Protocol (L2TP) is often used in conjunction with IPSec to provide an additional layer of security. L2TP facilitates the tunneling of data, while IPSec provides encryption for the tunneled data, enhancing the overall security of the VPN connection.

What does a full tunnel VPN configuration do? -Directly connects the client to the Internet using ISP-managed configurations -Allows the client to bypass corporate network security -Mediates internet access through the corporate network -Requires no client software to operate

-Mediates internet access through the corporate network

Remote configuration of network appliances. Most of these appliances are headless (they do not have a video monitor or input devices), and remote connections are the only practical configuration option. This type of connection is typically implemented using

Secure Shell (SSH).

either allow an administrator to configure a server or a user to operate a computer remotely. Where remote desktop protocols provide GUI access, other protocols can be used for terminal-only access.

Remote desktop connections

allow user access to networked apps. A ____ can also be used to connect a user to a virtual desktop, where a client OS and applications software are provisioned as a virtual appliance. Alternatively, a ____ is a means of implementing a clientless VPN.

Remote desktop gateways

is any kind of software that replicates this TTY input/output function. allows you to connect to the shell of a different host over the network.

A terminal emulator

is the principal means of obtaining secure remote access to UNIX and Linux servers and to most types of network appliances (switches, routers, and firewalls). Application protocol supporting secure tunneling and remote terminal emulation and file copy. runs over TCP port 22. can be used as the secure file transfer protocol (SFTP).

Secure Shell (SSH)

is identified by a public/private key pair, referred to as the host key. A mapping of host names to public keys can be kept manually by each SSH client, or there are various enterprise software products designed for SSH key management.

An SSH server

is used to set up a secure channel to use for the client to submit authentication credentials.

The server's host key

SSH allows various methods for the client to authenticate to the SSH server. Each of these methods can be enabled or disabled as required on the server:

Username/password Public key authentication Kerberos

Start the SSH Daemon (server). Parameters such as the host's certificate file, port to listen on, and logging options can be set via switches or in a configuration file.

sshd

Create a key pair to use to access servers. The private key must be stored securely on your local computer. The public key must be copied to the server. You can use the ssh-copy-id command to do this, or you can copy the file manually.

ssh-keygen

Configure a service to use to store the keys used to access multiple hosts. The agent stores the private key for each public key securely and reduces the number of times use of a private key has to be confirmed with a passphrase. This provides a single sign-on (SSO) mechanism for multiple SSH servers.

ssh-agent

is used to add a key to the agent.

The ssh-add command

Use the SSH client to connect to the server running at Host. Host can be an FQDN or IP address. You can also create a client configuration file.

ssh Host

Use the SSH client to connect to the server running at Host with a different Username.

ssh Username@Host

Use the SSH client to execute a command or script on the remote server running at Host without starting a shell.

ssh Host "Command or Script"

A file transfer client with remote copy/rcp-like command interface.

scp Username@Host:RemoteFile /Local/Destination

A file transfer client with FTP-like command interface.

sftp

is both a protocol and a terminal emulation software tool that transmits shell commands and output between a client and the remote host. Application protocol supporting unsecure terminal emulation for remote host management. runs over TCP port 23.

Telnet

remote administration tool sends screen and audio data from the remote host to the client and transfers mouse and keyboard input from the client to the remote host.

A graphical user interface (GUI)

is Microsoft's protocol for operating remote GUI connections to a Windows machine. uses TCP port 3389.

Remote Desktop Protocol (RDP)

protects the RDP server against denial of service attacks. Without ___, the system configures a desktop before the user logs on. A malicious user can create multiple pending connections to try to crash the system. authenticates the user before committing any resources to the session.

Network Level Authentication (NLA)

If Remote Desktop is used to connect to a server that has been compromised by malware, the credentials of the user account used to make the connection become highly vulnerable. ____ are means of mitigating this risk.

RDP Restricted Admin (RDPRA) Mode and Remote Credential Guard

This requires connecting a laptop running terminal emulator software to the switch or router via a separate physical interface using a special console (or rollover) cable. The terminal emulator can then be used to start a command line interface (CLI).

Console port

This port is designed to connect to an analog modem and provide remote access over a dial-up link. Once the AUX port is enabled and configured, the modem can be connected to it by using an RS-232 serial cable, a specially wired RJ45 rollover cable and terminal adapter (RJ45 to DB9), or a management cable (RJ45 to DB9). Configure the modem with appropriate serial link settings (refer to the vendor guide), connect it to an appropriate telephone line, and allocate an extension number. A remote host can connect to the appliance CLI by using a terminal emulation program such as HyperTerminal or PuTTY.

AUX port

This means configuring a virtual network interface and IP address on the device to use for management functions and connecting to it via one of the normal Ethernet ports. The port must be enabled for this function (some appliances come with a dedicated management port). Using Telnet (insecure) or Secure Shell (SSH) to connect to a CLI remotely over the management interface in this way is referred to as a virtual terminal.

Management port

____ management link is one that shares traffic with other communications on the "production" network.

An in-band

The console port is a physically ____ management method; the link is limited to the attached device. When you are using a browser-based management interface or a virtual terminal, the link can be made ___ by connecting the port used for management access to physically separate network infrastructure. Accessing the administrative interface of a network appliance using a separate network from the usual data network. This could use a separate VLAN or a different kind of link, such as a dial-up modem.

out-of-band

A hardened server that provides access to other hosts. only runs the necessary administrative port and protocol, such as SSH or RDP. Administrators connect to the ____ and then use the ____ to connect to the admin interface on the application server. The application server's admin interface has a single entry in its ACL and denies connection attempts from any other hosts.

jump box

An appliance that can be automated via scripting exposes an ___. is the means by which external entities interact with the appliance, calling it with expected parameters and receiving the expected output.

application programming interface (API)

You must enforce strong authentication policies to mitigate risks:

Do not use the root user account for any day-to-day logon activity or automation. Configure specific accounts for automation that are allocated with least privileges only. Principals—user accounts, security groups, roles, and services—are enabled for programmatic access by assigning a secret key to the account. Only the secret key (not the ordinary account credential) can be used for programmatic access. When a secret key is generated for an account, it must immediately be transferred to the host and kept securely on that host. Only use secure protocols, such as HTTPS, for API communications. Configure mutual authentication and access controls so that API requests can only be issued from authorized clients.

What is the purpose of the ssh-agent command? -To restart the SSH server -To generate new SSH keys -To store private keys securely -To change the default SSH port

-To store private keys securely

You are in the middle of a big project at work. All of your work files are on a server at the office. You want to be able to access the server desktop, open and edit files, save the files on the server, and print files to a printer that's connected to a computer at home. Which protocol should you use? -FTP -RDP -Telnet -SSH

-RDP

What does Network Level Authentication (NLA) protect the RDP server against? -Phishing attacks -Denial of service attacks -On-path attacks -SQL injection attacks

-Denial of service attacks

What does the AUX port connect to for remote access? -A digital modem -An analog modem -A wireless router -A fiber optic cable

-An analog modem

is a site that is dedicated to provisioning server resources. hosts network services (such as authentication, addressing, and name resolution), application servers, and storage area networks (SANs). are housed in purpose-built facilities, but some of the concepts also apply to server rooms.

A data center

Unlike an office network, ___ contains no client PCs, other than hardened secure administrative workstations (SAWs) used solely to manage servers.

a data center

Traffic that goes to and from a data center is referred to as ____. This traffic represents clients outside the data center making requests and receiving responses. Corporate network traffic flows are also typically ____. A client device is located on a workgroup switch connected to a router, while the server is connected to a separate switch or VLAN. Traffic from the client to the server passes ____ from the client's switch to the router and then back___ to the server's switch.

north-south

In data centers that support cloud and other Internet services, most traffic is actually between servers within the data center. This is referred to as ___.

east-west traffic

provides better support for east-west traffic and the use of SDN and overlay networks within datacenters. Topology commonly used in datacenters comprising a top tier of aggregation switches forming a backbone for a leaf tier of top-of-rack switches.

The spine and leaf topology

comprises a backbone of top-tier distribution switches. Note that while this is described as a backbone, the spine switches are not linked to one another.

The spine layer

contains access switches. Each access switch is connected to every spine switch in a full mesh topology. The access switches never have direct connections to one another.

The leaf layer

The spine and leaf topology has a number of advantages:

Each server is only ever a single hop from the backbone, making network latency more predictable. There are multiple redundant paths between a leaf switch and the backbone, allowing for load balancing and failover. As there are no direct connections between spine switches in the backbone or between leaf switches, the network is loop free and does not need to run spanning tree. Instead, each leaf switch runs a protocol called Equal Cost Multipathing (ECMP) to distribute traffic between the links to the spine switches. Servers are connected to multiple leaf switches for multipath redundancy, using a first hop gateway protocol to determine the active path. Scalability is improved because adding spine and/or leaf nodes does not change the topology. This means adding capacity for service needs that change unpredictably, such as storage, is easy.

The leaf layer access switches are implemented as ___. High-performance switch model designed to implement the leaf tier in a spine and leaf topology.

top-of-rack (ToR) switch models.

Network dedicated to provisioning storage resources, typically consisting of storage devices and servers connected to switches via host bus adapters. provisions access to storage devices using block input/output (I/O). Each read or write operation addresses the actual location of data on the media, just like direct-attached storage. The difference is that these read/write requests are communicated from the server to the storage device over the network. This does require an extremely fast and reliable network that is dedicated only to the storage function.

storage area network (SAN)

High speed network communications protocol used to implement SANs. Also called "FC." is defined in the T11 ANSI standard. The British spelling "fibre" is deliberately chosen to distinguish the standard from fiber optic cabling, which it often uses but on which it does not rely.

Fibre Channel

A SAN based on a Fibre Channel (FC) Switched Fabric (FC-SW) involves three main types of components:

Initiator Target FC switch

This is a client device of the SAN, such as a file or database server installed with a fibre channel host bus adapter (HBA).

Initiator

This is the network port for a storage device. Typical devices include single drives, RAID drive arrays, tape drives, and tape libraries. Space on the storage devices is divided into logical volumes, each identified by a 64-bit logical unit number (LUN). The initiator will use SCSI, Serial Attached SCSI (SAS), SATA, or Nonvolatile Memory Express (NVMe) commands to operate the storage devices in the network, depending on which interface they support. Most devices have multiple ports for load balancing and fault tolerance. The initiators and targets are identified by 64-bit WorldWide Names (WWN), similar to network adapter MAC addresses. Collectively, initiators and ___ are referred to as nodes. Nodes can be allocated their own WWN, referred to as a WWNN (WorldWide Node Name). Also, each port on a node can have its own WorldWide Port Name (WWPN).

targets

This provides the interconnections between initiators and targets (a fabric). The switch topology and interconnections would be designed to provide multiple paths between initiators and targets, allowing for fault tolerance and load balancing. High performance FC switches are often referred to as directors.

FC switch

is a means of delivering Fibre Channel packets over lossless Ethernet components. requires special 10/40/100G adapters that combine the function of NIC and HBA, referred to as converged network adapters (CNAs).

Fibre Channel over Ethernet (FCoE)

is an IP tunneling protocol that enables the transfer of SCSI data over an IP-based network. works with ordinary Ethernet network adapters and switches. can be used to link SANs but is also seen as an alternative to Fibre Channel or Converged Ethernet, as it works with regular Ethernet adapters and switches.

Internet Small Computer Systems Interface (iSCSI)

which uses the reliability mechanisms built into TCP to substitute for the lossless mechanisms of FC or CE. While there is greater packet header and latency compared to ___/FC or RoCE, the use of standard Ethernet products can simplify procurement and support procedures.

Another option is NMEe over TCP (NVMe/TCP)

In a spine and leaf topology, how are spine switches connected? -Directly to one another -Through a central hub -Not directly connected -Via the Internet

-Not directly connected

What is a key benefit of the spine and leaf topology regarding network loops? -It requires spanning tree to prevent loops. -It is inherently loop-free. -Loops are managed through manual configuration. -Loops are considered beneficial for redundancy

-It is inherently loop-free.

What is NVMe over Fabrics (NVMe-oF)? -A type of Ethernet switch -A storage device interface -Using NVMe in a networked environment -A Fibre Channel switch feature

-Using NVMe in a networked environment

Who are the clients of a SAN? -Client PCs and laptops -Servers running databases or applications -Internet users accessing cloud services -External storage vendors

-Servers running databases or applications

How does a SAN provision access to storage devices? -Through file-level input/output -Using block input/output -Via direct physical connections -Through application-level protocols

-Using block input/output

means that the resources or costs involved in supplying the service to more users are linear. For example, if the number of users doubles in a ____ system, the costs to maintain the same level of service would also double (or less than double). If it takes quadruple the resources to maintain the service, the system is less ___. can be achieved by adding nodes (horizontal/scaling out) or by adding resources to each node (vertical/scaling up).

Scalability

refers to the system's ability to handle changes to demand in real time. A system with high ____ will not experience loss of service or performance if demand suddenly doubles (or triples, or quadruples). Conversely, it may be important for the system to be able to reduce costs or deprovision resources when demand is low.

Elasticity

Classifying the ownership and management of a cloud as public, private, community, or hybrid. classifies how the service is owned and provisioned.

A cloud deployment model

A service offered over the Internet by cloud service providers (CSPs) to cloud consumers, often referred to as tenants. With this model, businesses can offer subscriptions or pay-as-you-go financing, while at the same time providing lower-tier services free of charge. As a shared resource, there are risks regarding performance and security. Multicloud architectures are where the consumer organization uses services from more than one CSP.

Public (or multitenant)

Hosted by a third party for the exclusive use of one organization. This is more secure and can guarantee a better level of performance, but it is correspondingly more expensive.

Hosted Private (or single tenant)

Cloud infrastructure that is completely private to and owned by the organization. In this case, there is likely to be one business unit dedicated to managing the cloud while other business units make use of it. With private cloud computing, organizations can exercise greater control over the privacy and security of their services. This type of delivery method is geared more toward banking and governmental services that require strict access control in their operations.

Private

A cloud computing solution that implements a mixed public/private solution. For example, a travel organization may run a sales website for most of the year using a private cloud but "break out" the solution to a public cloud at times when much higher utilization is forecast. As another example, a hybrid deployment may be used to provide some functions via a public cloud, but keep sensitive or regulated infrastructure, applications, and data on-premises.

Hybrid

These cloud service models are referred to as ___. Some of the most common ____ models are infrastructure, software, and platforms.

Something/Anything/Everything as a Service (XaaS)

is a means of provisioning IT resources such as servers, load balancers, and storage area network (SAN) components quickly. Rather than purchase these components and the Internet links they require, you rent them on an as-needed basis from the service provider's datacenter.

Infrastructure as a Service (IaaS) ; Examples include Amazon Elastic Compute Cloud (aws.amazon.com/ec2), Microsoft Azure Virtual Machines (azure.microsoft.com/services/virtual-machines), and OpenStack (openstack.org).

is a different model of provisioning software applications. Rather than purchasing software licenses for a given number of seats, a business would access software hosted on a supplier's servers on a pay-as-you-go or lease arrangement (on-demand). Virtual infrastructure allows developers to provision on-demand applications much more quickly than previously. The applications can be developed and tested in the cloud without the need to test and deploy on client computers.

Software as a Service (SaaS) ; Examples include Microsoft Office 365 (support.office.com), Salesforce (salesforce.com), and Google Workspace (workspace.google.com).

provides resources somewhere between SaaS and IaaS. would deploy servers and storage network infrastructure but also provide a multi-tier web application/database platform on top. This platform could be based on Oracle or MS SQL or PHP and MySQL.

Platform as a Service (PaaS) ; Examples include Oracle Database (cloud.oracle.com/paas), Microsoft Azure SQL Database (azure.microsoft.com/services/sql-database), and Google App Engine (cloud.google.com/appengine).

is a type of caching solution for high-traffic websites and application services. is to provide a mix of high availability with performance and scalability. improve web performance by placing servers and media files near the consumers. Content can mean web apps, Software as a Service apps, websites, scripts, downloads, and other files. The result is quicker data access than would result from a single central storage location that might be very far from the consumer. provide high availability by distributing content to multiple datacenters that are geographically dispersed. This also increases scalability.

A content delivery network (CDN)

is an instance of a computer or network appliance running an OS and applications software. can be allocated with a number of CPUs, an amount of system RAM, local storage, and network links. can be managed just like a normal computer by connecting to it via RDP or SSH.

A virtual machine (VM)

is a lightweight computing instance designed to run a single application service or a single workload task. don't have emulated hardware components, but they do still use compute resources and can connect to storage devices and networks.

A container

Provisioning virtual network appliances, such as switches, routers, and firewalls, via VMs and containers. divides the provisioning of these appliances into three domains: VNF, NFV, and MANO

Network Functions Virtualization (NFV)

Specifies and deploys instances of each virtual appliance. VNFs are designed to run as VMs on standard CPU platforms.

Virtual network function (VNF)

Controls the allocation of compute (CPU and memory) plus storage and networking resources to each VNF.

NFV infrastructure

Positions VNFs within workflows to perform the forwarding and filtering tasks they are designed for.

Management and orchestration (MANO)

A private network segment made available to a single cloud consumer on a public cloud.

virtual private clouds (VPCs)

Each subnet within a VPC can either be private or public. To configure a public subnet, first an ____ must be attached to the VPC configuration. Secondly, the ____ must be configured as the default route for each public subnet. If a default route is not configured, the subnet remains private, even if an ____ is attached to the VPC. Each instance in the subnet must also be configured with a public IP in its cloud profile. The ____ performs 1:1 network address translation (NAT) to route Internet communications to and from the instance.

Internet gateway (virtual router)

This feature allows an instance to connect out to the Internet or to other AWS services but does not allow connections initiated from the Internet.

NAT gateway

There are various options for establishing connections to and between VPCs using virtual private networks (VPNs) at the software layer or using CSP-managed features.

VPN

within a datacenter offers a higher bandwidth solution by providing a direct connect or private link. The customer establishes infrastructure within a datacenter supported by the cloud provider or provisions a direct connect link from their enterprise network to the datacenter, possibly using private connections configured within a service provider's network. The datacenter installs a cross-connect cable or VLAN between the customer and the cloud provider, establishing a low-latency, high-bandwidth secure link. This solution is preferred for organizations which have a more centralized operation where the connection to the cloud can be from the main HQ and the company's own enterprise network is used to allow branch locations access.

Colocation

is a virtual router that handles routing between the subnets in each attached VPC and any attached VPN gateways

a transit gateway

The firewall accepts or denies connections on the basis of IP addresses or address ranges and TCP/UDP port numbers (the latter are actually contained in layer 4 headers, but this functionality is still always described as basic layer 3 packet filtering).

Network layer (layer 3)

The firewall can store connection states and use rules to allow established or related traffic. Because the firewall must maintain a state table of existing connections, this requires more processing power (CPU and memory).

Transport layer (layer 4)

The firewall can parse application protocol headers and payloads (such as HTTP packets) and make filtering decisions based on their contents. This requires even greater processing capacity (or load balancing), or the firewall will become a bottleneck and increase network latency.

Application layer (layer 7)

provides stateful inbound and outbound filtering at layer 4. The stateful filtering property means that it will allow established and related traffic if a new connection has been accepted.

A security group

The default ___ allows any outbound traffic and any inbound traffic from instances also bound to the default security group. ___ sets the ports and endpoints that are allowed for inbound and outbound traffic.

security group; A custom security group

is a set of rules that applies to an entire subnet.

In Oracle Cloud Infrastructure (OCI), a security list

What can a cloud consumer assign within each Virtual Private Cloud (VPC)? (Select two.) -An unlimited number of IPv6 CIDR blocks -A physical server to each subnet within the VPC -IPv4 CIDR blocks without any subnets -A single IPv4 CIDR block -An IPv6 CIDR block

-A single IPv4 CIDR block -An IPv6 CIDR block

What does a NAT gateway allow an instance to do? -Connect out to the Internet without allowing inbound connections. -Assign a public IP address to every instance within a subnet. -Monitor and log all Internet traffic. -Encrypt all outbound and inbound communications.

-Connect out to the Internet without allowing inbound connections.

An approach to infrastructure management where automation and orchestration fully replace manual configuration is referred to as ___. Provisioning architecture in which deployment of resources is performed by scripted automation and orchestration.

infrastructure as code (IaC).

is a configuration or build that is different from any other. The lack of consistency—or drift—in the platform environment leads to security issues, such as patches that have not been installed, and stability issues, such as scripts that fail to run because of some small configuration difference.

A snowflake

means that instances are never updated in place. If a change or update is required, a new instance is deployed to replace the old one. By rejecting manual configuration and ad hoc patching, IaC ensures idempotence. Idempotence means that making the same call with the same parameters will always produce the same result.

Immutable architecture

using scripted playbooks means that each configuration or build task is performed by a block of code. The script will take standard arguments as data. This means that there is less scope for uncertainty over configuration choices leading to errors. It also ensures that systems are in compliance with network or security policies.

Automation

There are two types of automation tool:

Imperative tools and Declarative tools

take the precise series of steps required to achieve the desired configuration as input.

Imperative tools

take the desired configuration as input and leave the detail of how that configuration should be achieved to the implementation platform.

Declarative tools

performs a sequence of automated tasks. Automation of multiple coordinated steps in a deployment process.

orchestration

means that any given instance is completely static in terms of processing function. Data is kept separate from the instance OS/app, so that the instance can be swapped out for an "as new" copy without suffering any configuration problems.

Non-persistence

When provisioning a new or replacement instance, the automation system may use one of two types of mastering instructions:

Master image Automated build from a template

This is the "gold" copy of a VM or container instance, with the OS, applications, and patches all installed and configured. This is faster than using a template, but keeping the image up to date can involve more work than updating a template.

Master image

This is the build instructions (imperative automation) or desired configuration (declarative automation) for an instance. Rather than storing a master image, the software builds and provisions an instance according to the template instructions or desired configuration.

Automated build from a template

is where undocumented instances are launched and left unmanaged. As well as restricting rights to launch instances, you should configure logging and monitoring to track usage.

Sprawl

As well as restricting rights to launch instances, you should configure logging and monitoring to track usage. This process is supported by ____ features of automation suites. A ____ queries the cloud API to return a list of instances and their properties for storage in a database.

dynamic inventory

is a block of code that can perform a function in multiple different contexts.

A reusable task or module

is the overall process of managing code for a software development project. When using infrastructure as code, it is important to use the correct version of a script to perform a task. Tasks performed by different versions can lead to configuration drift and noncompliance. Also, software development is typically a collaborative process, and there needs to be procedures and tools to allow multiple developers to work on the same project. Technologies that manage development of software code by tracking and merging or rejecting changes from multiple authors.

Source control

is an ID system for each iteration of a software product or automation script. Most version control numbers represent both the version, as made known to the customer or end user, and internal build numbers for use in the development process. supports the change management process for software development projects.

version control

Software development environments use a _____ to maintain source code. When a developer commits new or changed code to the ____ , the new source code is tagged with an updated version number and the old version archived. This allows changes to be rolled back if a problem is discovered.

Central Repository

changes can be made in a ___ copy of source code stored separately to the main or production version. When the ____ code is ready, the developer issues a pull request, and it is tested and validated for merging back into the main ____

branch/branching

highlights these clashes and provides developers with tools to resolve them.

Conflict identification

is a model for how these processes can be used to provision and deprovision networks. Central policy management Transport agnostic Zero-touch provisioning Application aware

Software-defined networking (SDN)

There is a single "source of truth" for how the network should operate. These business and security rules are automatically converted into device configuration states. Also, status reporting ensures that "single pane of glass" monitoring and oversight is available to administrators.

Central policy management

The overlay network can make use of any available forwarding fabric, whether that is Ethernet, Wi-Fi, 4G/5G cellular, leased line, or satellite. The underlying network fabric is automatically configured to establish the logical network link.

Transport agnostic

When new nodes are deployed to the network, they use automation to achieve the desired configuration, rather than needing to be manually configured by a technician. Similarly, if network policies change, nodes are reconfigured automatically.

Zero-touch provisioning

Forwarding nodes can identify types of traffic, such as voice, video, or IoT. They can reserve capacity for these applications to ensure sufficient bandwidth, low latency, and lossless transfers.

Application aware

In the SDN model defined by IETF (datatracker.ietf.org/doc/html/rfc7426), network functions are divided into three layers. The top and bottom layers are

application and infrastructure

Applies the business logic to make decisions about how traffic should be prioritized and secured and where it should be switched. This layer defines policies such as segmentation, ACLs, and traffic prioritization.

Application layer

Uses the devices (physical or virtual) that handle the actual forwarding (switching and routing) of traffic and imposition of ACLs and other policy configurations for security.

Infrastructure layer

The principal innovation of ___ is to insert a control layer between the Application and Infrastructure layers.

SDN

The functions of the control plane are implemented by a virtual device called the

SDN controller.

The interface between SDN applications and the SDN controller is described as the ____ , while that between the SDN controller and infrastructure devices is the ____

service interface or as the "northbound" API; "southbound" API.

there are separate forwarding (data) and operational planes at the infrastructure level. The operational plane implements device state, such as CPU and memory utilization. A management plane sits at the same level as the control plane to interface with the operational plane. This is used to implement monitoring of traffic conditions and network status.

In IETF's SDN model

In this model, access to the datacenter from the corporate network, branch offices, and remote/teleworker locations can be facilitated through a ____. Services that use software-defined mechanisms and routing policies to implement virtual tunnels and overlay networks over multiple types of transport network. replaces hub-and-spoke-type designs with more efficient, but still secure, connectivity to corporate clouds. is managed by a controller and management software located in a corporate datacenter or public cloud.

software-defined WAN (SD-WAN)

is used to implement logical links between nodes or networks. abstracts the complexity of the underlying physical topology. A virtual private network (VPN) is an example. also allows for the segmentation of the same physical network. For example, a cloud provider can use an ____ to isolate each tenant's traffic from other tenants. When used inside the datacenter, ___are typically implemented using virtual extensible LANs (VXLANs).

overlay network

uses layer 2 encapsulation to create an overlay network that runs on a layer 3 IP underlay network. Each overlay network is allocated a 24-bit ___ network identifier (VNI).

A virtual extensible LAN (VXLAN)

encapsulates the layer 2 frames tagged with the VNI in UDP packets. The UDP packets are routed over the IP network to another ____. The receiving ____ decapsulates the packets to extract and process the frames.

A VXLAN Tunnel Endpoint (VTEP)

As an alternative to manually configuring connections between VNIs and VTEPs, ___ uses Border Gateway Protocol (BGP) to advertise VXLAN networks and nodes as routes. This implements a control plane for automated configuration and management of the overlay network.

an Ethernet VPN (EVPN)

refers to ways of creating links between datacenters and hosts/networks in different datacenters.

Data Center Interconnect (DCI)

is a security model that assumes that all devices, users, and services are not inherently trusted, regardless of whether inside or outside a network's perimeter.

Zero trust architecture (ZTA)

The zero trust model includes several fundamental concepts that provide a comprehensive security solution:

Policy-based authentication recognizes that user identities are not static and that identity verification must be continuous and based on a user's current context and the resources they are attempting to access. Threat scope reduction and least privilege access means that access to network resources is granted on a need-to-know basis, and access is limited to only those resources required to complete a specific task. These concepts reduce the network's attack surface and limit the damage that a successful attack can cause. Policy-driven authorization describes how least privilege access control policies are used to enforce permissions and restrictions based on user identity, device posture, and network context.

manages policies that dictate how users and devices are authorized to access network resources. It is implemented through a centralized policy decision point. The policy decision point is responsible for defining policies that limit access to resources on a least privilege basis, monitoring network activity for suspicious behavior, and updating policies to reflect changing network conditions and security threats.

The control plane in ZTA

The policy decision point is comprised of two subsystems:

The policy engine is configured with subject and host identities and credentials, access control policies, up-to-date threat intelligence, behavioral analytics, and other results of host and network security scanning and monitoring. This comprehensive state data allows it to define an algorithm and metrics for making dynamic authentication and authorization decisions on a per-request basis. The policy administrator is responsible for managing the process of issuing access tokens and establishing or tearing down sessions, based on the decisions made by the policy engine. The policy administrator implements an interface between the control plane and the data plane.

systems in the -___ establish sessions for secure information transfers. a subject (user or service) uses a system (such as a client host PC, laptop, or smartphone) to make requests for a given resource. A resource is typically an enterprise app running on a server or cloud. Each request is mediated by a policy enforcement point. The enforcement point might be implemented as a software agent running on the client host that communicates with an app gateway. The policy enforcement point interfaces with the policy administrator to set up a secure data pathway if access is approved, or tear down a session if access is denied or revoked.

In the data plane of the ZTA

The shift of service provisioning from on-premises servers to the cloud has prompted the development of a new. A networking and security architecture that provides secure access to cloud applications and services while reducing complexity. It combines security services like firewalls, identity and access management, and secure web gateway with networking services such as SD-WAN. combines the SD-WAN technologies used to implement secure tunnels from remote sites to enterprise services (the "A" for access part) with a Security Service Edge (SSE). when a user initiates an SD-WAN connection, the endpoint is not to a cloud service directly, but to a mediating SSE service.

Secure Access Service Edge (SASE) paradigm

is a set of technologies that mediate access to cloud services and web applications. Design paradigm and associated technologies that mediate access to cloud services and web applications.

The Security Service Edge (SSE)

Enterprise management software designed to mediate access to cloud services by users across all types of devices. Some of the functions of a ____ are the following: Enable single sign-on authentication and enforce access controls and authorizations from the enterprise network or remote employees to the cloud provider. Scan for malware and rogue or noncompliant device access. Monitor and audit user and resource activity. Mitigate data exfiltration by preventing access to unauthorized cloud services from managed devices.

cloud access security broker (CASB)

In general, CASBs are implemented in one of three ways:

forward proxy reverse proxy API

This is a security appliance or host positioned at the client network edge that forwards user traffic to the cloud network if the contents of that traffic comply with policy. This requires configuration of users' devices or installation of an agent. In this mode, the proxy can inspect all traffic in real time, even if that traffic is not bound for sanctioned cloud applications. The problem with this mode is that users may be able to evade the proxy and connect directly. Proxies are also associated with poor performance as without a load balancing solution, they become a bottleneck and potentially a single point of failure.

Forward proxy

This is positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with policy. This does not require configuration of the users' devices. This approach is only possible if the cloud application has proxy support.

Reverse proxy

Rather than placing a CASB appliance or host inline with cloud consumers and the cloud services, an API-based CASB uses brokers' connections between the cloud service and the cloud consumer. For example, if a user account has been disabled or an authorization has been revoked on the local network, the CASB would communicate this to the cloud service and use its API to disable access there too. This depends on the API supporting the range of functions that the CASB and access and authorization policies demand. CASB solutions are quite likely to use both proxy and API modes for different security management purposes.

Application programming interface (API)

is a proxy-based firewall, content filter, and intrusion detection/prevention system that mediates user access to Internet sites and services.

An on-premises SWG

What are the two subsystems of the policy decision point in ZTA? -Policy engine and policy administrator -Data plane and control plane -Authentication server and authorization server -Threat intelligence and behavioral analytics

-Policy engine and policy administrator

n ZTA, what does the separation of the control and data planes achieve? -Increases the complexity of network management. -Enhances the scalability of network infrastructure. -Segregating policy decision-making from data transfer. -Reduces the need for continuous monitoring.

-Segregating policy decision-making from data transfer.

Which of the following is a function of a Cloud Access Security Broker (CASB)? -Increases the speed of cloud services -Monitors and audits user and resource activity -Reduces the cost of cloud storage -Directly improves the performance of SD-WAN connections

-Monitors and audits user and resource activity

Network2 Flashcards

(884 cards)