Cloud Computing Security Quiz

Questions and Answers

What is one characteristic of cloud computing?

• High costs
• Scalability (correct)
• Inflexibility
• Physical hardware dependency

All firewalls and gateways provide complete protection against intrusions.

False (B)

What is the primary function of an intrusion detection system?

To monitor and identify potential security breaches.

A ______ is used to manage multiple virtual machines on a single physical server.

hypervisor

Match the following cloud deployment models with their descriptions:

Public Cloud = Resources shared across multiple organizations Private Cloud = Resources dedicated to a single organization Hybrid Cloud = Combination of public and private clouds Community Cloud = Resources shared among a specific community of users

What is the primary function of a Load Balancer in cloud computing?

To distribute workloads across multiple resources (D)

Automated Scaling Listener can help in managing traffic in cloud computing environments.

True (A)

What is the purpose of Failover Mechanisms in cloud computing?

To provide backup systems in case of failures.

Cloud Usage Monitor is used to track ______ in cloud services.

resource usage

Match the following security mechanisms with their descriptions:

Firewalls = Controls incoming and outgoing network traffic Encryption = Secures data by converting it into a code Authentication = Verifies the identity of users Access Control = Defines who can access specific resources

What does symmetric key cryptography primarily use for encryption and decryption?

The same key for both encryption and decryption (D)

Public key cryptography uses the same key for both encryption and decryption.

False (B)

What is the main purpose of network security?

To protect networks and data from unauthorized access and attacks.

The _______ algorithm is widely known for its role in secure data transmission using asymmetric key cryptography.

RSA

Match the following types of encryption with their descriptions:

Symmetric Key Cryptography = Uses the same key for encryption and decryption Public Key Cryptography = Uses a pair of keys for encryption and decryption Block Cipher = Encrypts data in fixed-size blocks Stream Cipher = Encrypts data one bit at a time

Which protocol is primarily used for sending email?

SMTP (A)

Local DNS servers are responsible for caching DNS information.

True (A)

What service do authoritative DNS servers provide?

They provide definitive answers to queries about domain names.

The message type used by a manager to request data from an SNMP agent is called a ______.

GetRequest

Match the following protocols with their primary functions:

SMTP = Sending email IMAP = Retrieving email DNS = Translating domain names to IP addresses SNMP = Network management

Which component is NOT a part of DNS?

Mail transfer agents (B)

DNS records are only used for email services.

False (B)

Name a service provided by DNS.

Translating domain names to IP addresses.

What is the purpose of a Trap message in SNMP?

To inform the manager of exceptional events (C)

InformRequest is used by the manager to inform a remote entity of MIB values accessible to it.

True (A)

What is the main function of the Response message in SNMP?

To provide the value in response to a Request.

The protocol that allows for managing network devices through a set of defined operations is known as ______.

NETCONF

Match the following SNMP messages with their purposes:

GetBulkRequest = Retrieve multiple values from the agent SetRequest = Change the value of a specific MIB variable Response = Reply with the requested value Trap = Notify the manager of an event

Which of the following is not a function of the network layer?

Setting MIB values (B)

The IP Datagram format is consistent across different versions of IP.

False (B)

What does YANG stand for in network management?

Yet Another Next Generation

Which of the following is NOT a property of RSA?

It provides message integrity. (A)

A cryptographic hash function is designed to be a one-way function.

True (A)

What does MAC stand for in the context of message authentication?

Message Authentication Code

In the context of TLS, the _______ phase is used to establish a secure connection.

handshake

Match the following cryptographic functions with their descriptions:

Digital Signatures = Provides non-repudiation Message Authentication Code (MAC) = Ensures message integrity Cryptographic Hash Function = Produces a fixed-size output Public Key Infrastructure (PKI) = Manages digital certificates

What is a key feature of Pretty Good Privacy (PGP)?

It provides email encryption and digital signatures. (C)

Transport-layer Security (TLS) ensures confidentiality and integrity of transmitted data.

True (A)

What is the primary purpose of a Digital Signature?

To verify the authenticity and integrity of a message.

Flashcards

SNMP GetBulkRequest

A message sent from a network management system (NMS) to an agent, requesting a large block of data from the agent's MIB.

SNMP InformRequest

A message sent from one NMS to another NMS, informing the recipient about changes in the MIB of a managed device.

SNMP Trap

A message sent from an agent to an NMS, signaling the occurrence of a significant event or an error.

Remote Procedure Call (RPC)

A mechanism that allows a program on one computer to execute a procedure (function) on another computer across a network.

RPC Identifier

A unique number assigned to each procedure (function) available for remote execution via RPC.

Network Layer: Data Plane

The part of the network responsible for forwarding packets based on their IP addresses.

Network Layer: Control Plane

The part of the network responsible for managing routes and network topology.

IP Datagram Format

The structure of an IP packet, specifying the header and payload fields.

SMTP

Simple Mail Transfer Protocol, a network protocol used to send email messages between email servers.

POP3

Post Office Protocol version 3, a protocol used to retrieve email messages from a mail server to a client.

IMAP

Internet Message Access Protocol, a protocol used to access email messages on a mail server, allowing you to manage them remotely.

DNS (Domain Name System)

A hierarchical and distributed database that translates domain names (like google.com) into their respective IP addresses.

Root Name Servers

The top-level servers in the DNS hierarchy, that are globally distributed and handle the initial lookups for domain names.

Authoritative Name Server

A server that holds the definitive records for a specific domain, providing the IP address for that domain.

DNS Caching

A process where DNS resolvers store recent lookups to speed up future requests for the same information.

DNS Records

Entries in the DNS database that hold various information about a domain, such as its IP address, mail server, etc.

Load Balancer

A device that distributes incoming network traffic across multiple servers, improving performance and reliability.

Symmetric Key Cryptography

A type of encryption where the same key is used for both encryption and decryption. This key needs to be shared securely between the sender and receiver.

Automated Scaling Listener

A component that monitors resource usage and automatically scales resources up or down based on pre-defined thresholds.

Public Key Cryptography

A system using two keys: a public key for encryption and a private key for decryption. The public key is shared, while the private key remains secret.

RSA Algorithm

A widely used public-key cryptosystem. It relies on the difficulty of factoring large numbers into their prime factors. It's used for secure data transmission and digital signatures.

Failover Mechanisms

Strategies that ensure continuous service availability by automatically switching to a backup system in case of a primary system failure.

Container Orchestration

The automated process of managing and coordinating multiple containers, including deployment, networking, and scaling.

Cipher-Block Chaining (CBC)

A mode of operation used in block ciphers. It encrypts a block with the previous encrypted block, essentially creating a chain of dependencies. This enhances security by making each block's encryption dependent on previous blocks.

Denial of Service Attack

An attack designed to overwhelm a system with excessive traffic, making it unavailable to legitimate users.

What is Network Security?

It's the protection of network infrastructure and data from unauthorized access, use, disclosure, disruption, modification, or destruction. It involves various security measures to prevent attacks and ensure data confidentiality, integrity, and availability.

What is Cloud Computing?

Cloud computing refers to the delivery of computing services—including servers, storage, databases, networking, software, analytics, and intelligence—over the Internet (“the cloud”) to offer faster innovation, flexible resources, and economies of scale.

Cloud Delivery Models

Different ways cloud services are offered, categorized by who manages the infrastructure and what services are provided.

Hypervisor

A software layer that allows multiple operating systems to run simultaneously on a single physical machine.

Containers

Lightweight, isolated user-space environments that package software and its dependencies (libraries, tools) into a single unit for easy deployment across different environments.

Benefits of Containers

Containers offer several advantages, including: - Improved resource utilization - Faster deployment and portability - Consistent execution across environments - Enhanced isolation between applications

RSA: purpose

RSA is an asymmetric encryption algorithm that uses two keys, a public key and a private key, to encrypt and decrypt data. The public key can be distributed to anyone, while the private key is kept secret. This allows anyone to encrypt messages that can only be decrypted by the person who has the private key.

RSA: key generation

In RSA, the public and private keys are generated by choosing two large prime numbers and multiplying them together. This product is called the modulus. The modulus is used to encrypt and decrypt data, while the prime numbers are used to generate the public and private keys.

Cryptographic Hash Function: purpose

A cryptographic hash function converts data of any length (message) into a fixed-length string of characters (hash value). This hash value uniquely identifies the original data, making it suitable for verifying data integrity.

Message Authentication Code (MAC): purpose

A MAC is a type of hash function used to verify message integrity and authenticity. It combines the message with a secret key and produces a hash value that is unique to the message and the key.

MAC: verification

To verify a message with a MAC, the receiver calculates the MAC of the received message using the shared secret key. If the calculated MAC matches the MAC sent by the sender, the message is considered authentic and intact.

Digital Signature: purpose

A digital signature is a cryptographic technique used to ensure message authenticity and integrity. It involves using a public key to encrypt a hash of the message, producing a signature that can only be verified by the corresponding private key.

Transport Layer Security (TLS): handshake

TLS handshake is a process used to establish a secure connection between a client and a server before exchanging data. It includes verifying identities, exchanging cryptographic keys, and setting up secure communication channels.

TLS: encryption

Once the handshake is completed, TLS encrypts all communication using a symmetric encryption algorithm. This ensures that all data exchanged between the client and server is confidential and protected from eavesdropping or tampering.

Study Notes

E-mail

• Three major components: user agents, mail servers, simple mail transfer protocol (SMTP)
• User Agent (e.g., Outlook, iPhone mail client): composing, editing, reading mail messages; outgoing and incoming messages stored on server
• Mail servers: mailbox contains incoming messages for user; message queue of outgoing mail messages; SMTP protocol between mail servers to send email messages
• SMTP RFC (5321): uses TCP to reliably transfer email from client (mail server) to server, port 25; three phases of transfer (SMTP handshaking, transfer of messages, closure); command/response interaction (like HTTP)
• Scenario example: Alice sends email to Bob (step-by-step process showing message transfer via SMTP)

SMTP: Observations

• Comparison with HTTP: HTTP is client-pull, SMTP is client-push

Mail Message Format

• SMTP: protocol for exchanging email messages (defined in RFC 5321)
• RFC 2822 defines email message syntax (like HTML defines web document syntax)
• Header lines (e.g., To:, From:, Subject:) and email body (ASCII characters only)

Retrieving Email: Mail Access Protocols

• IMAP (Internet Mail Access Protocol, RFC 3501): stores messages on server for retrieval (e.g., Gmail, Hotmail, Yahoo); provides retrieval, deletion, folders
• HTTP (e.g., Gmail, Hotmail, Yahoo!): web-based interfaces on top of SMTP for sending and IMAP for retrieving emails

Domain Name System (DNS)

• Distributed database implemented in a hierarchy of many name servers
• Service that almost all other applications depend upon
• Application-layer protocol: hosts and DNS servers communicate to resolve names
• DNS runs over UDP protocol, using UDP port 53
• Translates host names into host addresses (Name Space)
• DNS services (hostname-to-IP-address translation, host aliasing, mail server aliasing, load distribution)
• DNS structure (DNS services; reasons why DNS can't be centralized)

DNS: services, structure

• Hostname-to-IP-address translation
• Host aliasing
• Mail server aliasing
• Load distribution
• Purpose of DNS (centralized; traffic volume; maintenance)

DNS: root name servers

• Crucial "contact of last resort" for name resolution
• Manages root DNS domain
• Managed by ICANN (Internet Corporation for Assigned Names and Numbers)
• 13 logical root servers worldwide; replicated many times

Top-Level Domain (TLD) and authoritative servers

• Responsible for top-level domains (e.g., .com, .org, .net, .edu)
• Organizations maintain their authoritative DNS servers
• Mapping domain names to IP addresses

Local DNS Name Servers

• When a host makes a DNS query, it's sent to its local DNS server
• Local DNS server returns a reply, possibly using cache of recent name-to-address mappings or forwarding.
• Each ISP has its own local DNS server.

DNS Name Resolution

• Iterated query: Server contacted replies with name of server to contact
• Recursive query: Burden on contacted server to resolve name

Caching DNS Information

• Caching improves response time by caching DNS mappings
• Cache entries timeout (TTL)
• Cached entries may be out-of-date

DNS records

• RR (Resource Record) format: (name, value, type, ttl)
• type=A: name is hostname, value is IP address
• type=NS: name is hostname, value is IP address of authoritative nameserver

DNS Security

• DDoS attacks (bombarding root servers with traffic)
• Spoofing attacks (intercepting DNS queries with bogus replies)

Network Management

• Components of network management (managed device, data, network management protocol)
• Network management approaches (command line interface (CLI), SNMP, NETCONF/YANG)
• SNMP protocol: message types (GetRequest, GetNextRequest, GetBulkRequest, SetRequest, InformRequest, Response)

Remote Procedure Call (RPC)

• RPC is a mechanism, not a protocol; for structuring distributed systems
• Network properties and architectures can vary across computing systems
• Two components: (a) Protocol for message exchange; (b) Programming Language and Compiler Support to enable packaging of arguments (and return values).

RPC Implementations

• SunRPC, IETF ONC RPC, DCE-RPC, CORBA, MS DCOM, ActiveX, gRPC

NETCONF

• goal: actively manage/configure devices network-wide
• Operates between managing server and managed network devices
• Actions: retrieve, set, modify, activate configurations
• Atomic-commit actions over multiple devices
• Query operational data and statistics
• Subscribe to notifications from devices
• Remote procedure call paradigm, using RPC
• NETCONF protocol messages encoded in XML; uses reliable transports (e.g., TLS)
• NETCONF commands such as , , , , , and

YANG

• Modeling language for representing configuration and Operational State data
• Unifies transport layer protocols, carrying structured data, not raw.

Network Layer

• Forwarding: Move packets from router input to appropriate output
• Routing: Determine packets route from source to destination Methods: Per-router Control (traditional); Logically centralized control (software-defined networks)

IP Datagram Format

• IP Protocol version number
• Header length (bytes)
• Type of service
• Time to live
• Protocol (upper layer such as TCP orUDP)
• Source IP Address
• Destination IP Address

IPv6: Motivation

• 32-bit address space allocation limit (IPv4)
• Improve forwarding/processing speeds (fixed-length 40-byte header)
• Enable network-layer treatment of "flows"

IP Addressing: Introduction

• 32-bit identifier associated with each host/router interface
• Connection between host/router and physical link
• Routers typically have multiple interfaces
• Hosts typically one or two interfaces

DHCP: Dynamic Host Configuration Protocol

• Host dynamically obtains IP address from network server
• Renews address lease

DHCP Client-Server Scenario

• Step-by-step description of DHCP process for a client obtaining IP address information

Generalized Forwarding

Review of match-plus-action forwarding; destination-based vs generalized forwarding; forwarding table entries

OpenFlow examples

• Destination-based forwarding example
• Block (drop) arriving datagrams destined to a specific TCP/UDP port
• Other examples of switch actions based on source or destination IP and/or port number; layer 2 forwarding

Orchestrated forwarding: Summary

• "Match plus Action" abstraction.
• Local actions (e.g. Drop, Forward, Modify)
• "Program" network-wide behavior
• Programmable per-packet processing (simple form of network programmability)

Software-Defined Networking (SDN)

• A network layer: historically implemented with distributed, per-router control Models: monolithic router (hardware), separate Control and data planes

Network Security

• Main goals: confidentiality, authentication, message integrity.
• Tasks in designing a security service
• Cryptanalysis
• Types of security attacks: eavesdropping, impersonation, hijacking, denial-of-service.
• Cryptography: Techniques for disguised data
• Confidentiality, Integrity, Nonrepudiation and Availability.

Cryptographic Hash Functions (Hash Functions)

• Algorithm for computationally infeasible to find (1) an object mapping to predefined hash/digest result; (2) two objects in mapping to any same hash result
• Cryptographic hash functions (e.g.: MD5; SHA): produce fixed-length digests
• Commonly used properties of hash functions.

Message Authentication Code (MAC)

• Alice creates a message m and calculates H(m)
• Append H(m) to message (m, H(m)), sent to Bob ○ Bob calculates H(m) and checks if it's the same as received H(m). if it is, it is valid
• Requires shared secret s (Authentication Key) ○ MAC = H(m+s) (append MAC to message) ○ Bob receives (m, h). Computes H(m+s). Valid if they are equal.

Digital signatures

• authentication, creating a verifiable, nonforgeable code

Public Key Cryptography

• Diffie-Hellman (DH), RSA
• Public-key algorithms and mathematical functions

RSA Algorithm

• Getting ready: mapping messages to integers
• Generating public/private keys ○ choose primes P and Q ○ compute n = pq, z= (p-1)(q-1) ○ choose e that is relatively prime to z ○ choose d such that (ed-1) exactly divisible by Z (in other words: ed mod z = 1).
• Encryption/decryption steps (m < n):
• c = me mod n
• m = cd mod n

Comparison of MAC and digital signatures

• MAC: Does not use public/private key encryption
• Digital signatures: Does use public/private key encryption (two-steps)

Certification Authorities (CAs)

• Bind public keys to particular entities (person, website, etc.) ○ Proof of identity
• Certifies E's public key; digitally signs it
• Standards for CAs (ITU X.509)

IP Security (IPsec)

• Used to protect datagrams across networks
• Security Associations (SA), which define security parameters • Two modes (transport; tunnel) • Protocols: Authentication Header (AH); Encapsulation Security Protocol (ESP)

IKE: Internet Key Exchange

• Key management procedure for IPsec • Manual vs automatic; key establishment • PSK(pre-shared keys) and PKI (public/private key infrastructure) for authentication

Firewalls

• Devices to isolate intranets from larger Internet
• Forms of firewalls (stateless, stateful)
• Access Control Lists (ACLs)
• Intrusion Detection Systems (IDS)

Cloud Computing

• Services delivered remotely and on demand, e.g.: Amazon Web Services (AWS) and Elastic Compute Cloud (EC2) Services; Google App Engine, and Google Apps
• Business drivers (cost reduction, agility, technological innovation)
• Technology innovations (clustering, grid computing, virtualization, containerization)
• Characteristics of cloud computing (demand usage, ubiquitous access)
• Cloud delivery models (IaaS, PaaS, SaaS)
• Cloud deployment models(public, private, hybrid, multicloud)
• Cloud infrastructure mechanisms (virtual servers, containers, hypervisors and related components)
• Cloud usage monitor, automatic scaling listener, failover and other mechanisms

Container Orchestration

• Automated deployment, scaling and management of containerized application
• Key components (Container Runtime, Api Server, Scheduler, Controller Manager, Distributed Key - Value Store, Networking, Storage)

Description

Test your knowledge on cloud computing security concepts, including intrusion detection systems, load balancers, and cryptography. This quiz covers various topics related to cloud deployment models and security mechanisms, challenging your understanding of their functions and purposes.