Chapter 12 Network Security

Questions and Answers

What is the primary function of Software-Defined Networking (SDN)?

• To provide internet access to remote devices
• To create physical network devices
• To control networks using software-based configuration (correct)
• To eliminate the need for network configurations

How does SD-WAN manage different types of connectivity services?

• By relying solely on MPLS connections
• By combining multiple connectivity services dynamically (correct)
• By isolating traffic to specific network devices
• By using a single, high-speed internet connection only

What does the term 'forwarding equivalence class' (FEC) refer to in MPLS?

• A data label used for routing traffic (correct)
• A unique network address for each data packet
• A protocol for email communication
• A classification system for network security

What advantage does SD-WAN provide in terms of cost management?

It allows for the use of less expensive connection methods (C)

In SDN, how can security be dynamically configured?

By adding or isolating systems based on authorization needs (A)

Which of the following describes a common use of MPLS?

To ensure real-time traffic delivery for voice or video (C)

What is the primary purpose of Domain Name System Security Extensions (DNSSEC)?

To authenticate DNS data and validate DNS queries (D)

What challenge are organizations facing that is causing them to move away from MPLS?

The high expense associated with using MPLS connections (B)

Which technology is typically used in conjunction with SD-WAN?

Multiprotocol Label Switching (MPLS) (D)

Which is a key technique for enhancing DNS security?

Blocking DNS requests to malicious domains (A)

How does DNS filtering help protect organizations from phishing attacks?

By redirecting users to a warning site when they try to access a phishing domain (B)

What is the role of the DKIM-Signature header in email security?

To provide a digital signature for verifying the email's sender (A)

Which of the following methods is NOT part of securing email communication?

DNS filtering (A)

What technology allows organizations to add content to messages to verify their origin?

DomainKeys Identified Mail (DKIM) (B)

Which method is used to leverage community knowledge about malicious domains?

Threat and block list feeds (A)

What happens to DNS queries that involve domains on the prohibited list by DNS filtering?

They receive an alternate response, often redirecting to a warning site (D)

What is a primary function of Secure/Multipurpose Internet Mail Extensions (S/MIME)?

To encrypt and sign MIME data (A)

Which secure protocol is specifically designed for use with Post Office Protocol (POP) and Internet Message Access Protocol (IMAP)?

Internet Message Access Protocol Secure (IMAPS) (B), Post Office Protocol Secure (POPS) (C)

What complexity does S/MIME introduce for users wanting secure communication?

Management and validation of certificates (B)

Which of the following is NOT a method to enhance email security mentioned in the content?

Secure Hypertext Transfer Protocol (SHTP) (B)

What is a limitation of Simple Mail Transfer Protocol (SMTP) regarding security?

SMTP lacks a secure option (B)

Why is S/MIME used less frequently despite its capabilities?

It requires certificates which complicate usage (D)

What is the most common secure protocol for email access today?

Hypertext Transfer Protocol Secure (HTTPS) (A)

What does S/MIME provide for emails in terms of security?

Nonrepudiation, integrity, authentication, and confidentiality (B)

What is the primary purpose of an Intrusion Prevention System (IPS)?

To block unauthorized access in real time (B)

Which of the following is NOT a function of a firewall?

Conducting advanced malware analysis (B)

What does DNS filtering primarily protect against?

Malicious websites and phishing attacks (D)

Which of the following protocols is commonly used for secure communication tunneling?

Internet Protocol Security (IPSec) (A)

Which component is crucial for implementing Network Access Control (NAC)?

Endpoint compliance checking (B)

Which security method is primarily used to protect email communications?

Domain-based Message Authentication Reporting and Conformance (DMARC) (C)

What is the main function of a Load Balancer in network security?

Distributing traffic across multiple servers (B)

What role does a Web Application Firewall (WAF) serve?

Filtering and monitoring HTTP traffic to and from a web application (C)

What is the primary purpose of VLAN tags in a network?

To create separate broadcast domains within a network (D)

Which of the following describes the functionality of a broadcast domain?

Only devices in the same broadcast domain can receive a broadcast packet (A)

What is a primary characteristic of screened subnets, also known as DMZs?

They contain systems exposed to less trusted areas of the network (C)

What distinguishes an intranet from an extranet?

Intranets typically restrict external access, while extranets allow it (D)

What is a core concept of Zero Trust networks?

Every system and user is treated similarly in terms of trust (C)

Why do organizations limit broadcast domains in their networks?

To reduce network congestion by limiting broadcast traffic (B)

What is the main function of an extranet?

To facilitate external access for partners or customers (A)

Which of the following statements correctly describes broadcasts in relation to networking?

All devices inside a broadcast domain respond to broadcasts (D)

What is the primary purpose of physical isolation?

To separate devices to prevent remote attacks. (A)

Which of the following describes a role of reputation services?

To monitor or block malicious actors. (C)

What does Secure Access Service Edge (SASE) primarily offer?

Secure access and policy-based security for devices. (B)

How does physical isolation prevent data breaches?

By requiring physical access for data transfers. (D)

In what way do reputation services enhance organizational security?

By providing insights combined with threat feeds. (B)

What is the foundation of identity-based network segmentation in threat scope reduction?

Least privilege principle (A)

Which component is responsible for executing decisions in a Zero Trust Policy model?

Policy Administrator (B)

Which term describes the devices and users seeking access within a Zero Trust Data Plane?

Subjects and systems (A)

What role do Policy Enforcement Points play in the Zero Trust model?

Enforcing decisions made by the Policy Engine (D)

What is a characteristic of implicit trust zones within a Zero Trust Data Plane?

They permit use and movement upon authentication (A)

What role do Policy Administrators play in a security environment?

They establish or remove communication paths between subjects and resources. (D)

What is a key feature of the Control Plane in a Zero Trust architecture?

It includes adaptive identity for context-based authentication. (D)

How do Policy Engines make access decisions?

Based on a predefined set of rules and external system inputs. (A)

What is the purpose of a trust algorithm in the context of access control?

To decide whether to grant, deny, or revoke access to resources. (A)

What is meant by 'limited blast radius' in Zero Trust design?

Restricts potential damage by limiting subject capabilities. (D)

What action does the Policy Administrator take if access is denied?

They instruct the policy enforcement point to terminate the session. (A)

Which of the following components does the Control Plane NOT include?

Data movement and storage. (D)

How do Policy Enforcement Points relate to Policy Administrators?

They communicate requests and follow instructions from Policy Administrators. (C)

What is a key disadvantage of inline network devices?

They can potentially create a point of failure. (B)

What distinguishes active taps from passive taps?

Active taps require power and have separate network ports. (C)

Which characteristic of passive taps ensures that traffic is not interrupted?

They have a direct path between network ports. (D)

Which statement is true about taps used in network monitoring?

Taps can provide a copy of traffic while allowing it to continue. (C)

What potential issue can arise from inline devices failing?

They may lead to total traffic interruption. (D)

Flashcards are hidden until you start studying

Study Notes

Security Appliances and Controls

• Network appliances include Jump servers, Proxy servers, Intrusion Prevention Systems (IPS), Intrusion Detection Systems (IDS), Load balancers, and Sensors.
• Port security protocols: 802.1X for authentication and Extensible Authentication Protocol (EAP) for secure access.
• Different firewall types: Web Application Firewall (WAF), Unified Threat Management (UTM), Next-Generation Firewall (NGFW), Layer 4 and Layer 7 firewalls.
• Secure communication methods incorporate Virtual Private Networks (VPN), Remote Access, Tunneling with Transport Layer Security (TLS) and Internet Protocol Security (IPSec).
• Software-Defined WAN (SD-WAN) facilitates optimal network routing and cost efficiency by integrating various connection technologies.

Security Operations Techniques

• Hardening techniques for computing resources focus on securing switches and routers.
• Security alerting involves tools such as Simple Network Management Protocol (SNMP) traps for monitoring.
• Modifications to enterprise capabilities include firewall rule adjustments, access control lists, and trends in IDS/IPS signatures.
• Web filtering strategies consist of agent-based solutions, URL scanning, content categorization, and block rules based on domain reputation.
• Email security employs DMARC, DKIM, and SPF to authenticate email sources and prevent spoofing.

Software-Defined Networking (SDN) and SD-WAN

• SDN leverages software for network control, allowing dynamic tuning based on performance metrics.
• Centralized controllers in SDN manage network devices for flexible configurations.
• SD-WAN combines various connectivity services (MPLS, 4G, 5G) to enhance high availability and maintain cost-effectiveness.

Network Segmentation

• VLANs allow different ports on switches to belong to the same broadcast domain, reducing noise.
• Concept of screened subnets (DMZs) for systems exposed to less trusted areas, mainly for web servers.
• Intranets serve internal information purposes, while extranets provide access to external partners or customers.
• Zero Trust architecture assumes no inherent trust, implementing strict internal and external security measures.

DNS Security

• DNSSEC authenticates DNS data, ensuring queries are validated even when not encrypted.
• Configuring DNS servers to prevent zone transfers and enable logging is crucial for DNS security.
• DNS filtering blocks access to malicious domains and redirects users to informational warning pages.

Email Security Protocols

• DKIM allows message content to be verified as originating from the claimed domain.
• SPF helps to verify sender's domain, while DMARC combines both DKIM and SPF for better protection against spoofing.
• Secure protocols for email include POPS and IMAPS, implementing TLS for secure communication.
• S/MIME encrypts email content and attachments, requiring certificate management which adds complexity.
• SMTP is not inherently secure, yet efforts like SMTPS have not gained widespread adoption.

Physical Isolation

• Separates devices with no connection between them
• Commonly referred to as an air-gapped design
• Prevents remote attackers from accessing data between systems

Reputation Services

• Track IP addresses, domains, and hosts involved in malicious activity
• Allow organizations to monitor or block potentially malicious actors and systems
• Often combined with threat feeds and log monitoring

Secure Access Service Edge (SASE)

• Combines VPNs, SD-WAN, and cloud-based security tools
• Provides secure access for devices regardless of their location
• Ensures endpoint and data security, and delivers policy-based security across an organization's infrastructure and services

Subjects, Policy Engines, and Policy Administrators

• Subjects: Users, services, or systems that request access to resources.
• Policy Engines: Determine access based on rules and external systems like threat intelligence, identity management, and SIEM devices. They use a trust algorithm and log decisions.
• Policy Administrators: Components that control access by establishing or removing communication paths between subjects and resources. They create session-specific tokens, deny access, and end sessions.
• Policy Enforcement Points: Communicate with Policy Administrators to forward requests and receive instructions on allowed connections. They are typically deployed as a local client/application and a gateway element.

Zero Trust Planes

• Two key planes:
  • Control Plane: Responsible for policy decision-making and access control.
  • Data Plane: Responsible for enforcing access control decisions and managing trust zones.
• Control Plane Components:
  • Adaptive Identity: Context-based authentication considering location, device, and security requirements. May request additional validation or decline authentication.
  • Threat Scope Reduction: Limits the impact of security breaches by using least privilege and identity-based network segmentation.
  • Policy-driven Access Control: Uses policies enforced by Policy Engines, Policy Administrators, and Policy Enforcement Points.

Data Plane Components

• Implicit Trust Zones: Allow access and movement once a subject is authenticated by a Zero Trust Policy Engine.
• Subjects/Systems: Devices and users seeking access.
• Policy Enforcement Points: Enforce access control decisions based on policies.

Inline Network Devices

• Inline network devices have network traffic pass through them.
• They provide the opportunity to interact with traffic, including modifying or stopping it.
• Inline devices can be a potential point of failure, as they can cause an outage if they stop working.
• Some inline devices are equipped with features that allow them to fail open instead of failing closed.

Taps or Monitors

• Taps copy network traffic for inspection, allowing access to a copy of the traffic without interrupting it.
• Taps don't allow interaction with traffic.
• Taps are used for monitoring, analysis, and security purposes.
• Taps avoid the problem of potential failures causing outages.

Active Taps

• Require power to operate.
• Have physically separate network ports without a direct connection.
• Power outages or software failures can interrupt traffic.

Passive Taps

• Have a direct path between network ports.
• Passive optical taps split light to create copies.
• Copper network passive taps require power but maintain a direct path, meaning power outages won't interrupt traffic.